[Rule Tuning] Several rule tunings (#3024)

* [Rule Tuning] Several rule tunings

* Added 1 more

* optimized ransomware encryption rules

* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml

* Update rules/linux/impact_potential_linux_ransomware_note_detected.toml

* Added 2 more tunings based on todays telemetry

* Some tunings

* Tuning

* Tuning

* fixed user.id comparison

* Something went wrong with deprecation

* Something went wrong with deprecation

* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml

* Update rules/linux/discovery_linux_nping_activity.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/discovery_linux_hping_activity.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Dedeprecated the rule to deprecate later

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit a1716bd673)

rules/linux/persistence_linux_shell_activity_via_web_server.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/20"
+updated_date = "2023/08/24"
 
 [transform]
 [[transform.osquery]]
@@ -122,7 +122,8 @@ event.action in ("exec", "exec_event") and process.parent.executable : (
   "*/bin/catalina.sh"
 ) and
 process.name : ("*sh", "python*", "perl", "php*", "tmux") and
-process.args : ("whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget", "pwd")
+process.args : ("whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget", "pwd") and
+not process.name == "phpquery"
 '''
 
 [[rule.threat]]