diff --git a/rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet.toml b/rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet.toml
index df886441e..15421c02e 100644
--- a/rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet.toml
+++ b/rules/_deprecated/command_and_control_ssh_secure_shell_from_the_internet.toml
@@ -10,7 +10,7 @@ description = """
 This rule detects network events that may indicate the use of SSH traffic from the Internet. SSH is commonly used by
 system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it
 should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial
-access or back-door vector.
+access or backdoor vector.
 """
 false_positives = [
     """
diff --git a/rules/_deprecated/command_and_control_ssh_secure_shell_to_the_internet.toml b/rules/_deprecated/command_and_control_ssh_secure_shell_to_the_internet.toml
index 65c745183..43c15443c 100644
--- a/rules/_deprecated/command_and_control_ssh_secure_shell_to_the_internet.toml
+++ b/rules/_deprecated/command_and_control_ssh_secure_shell_to_the_internet.toml
@@ -10,7 +10,7 @@ description = """
 This rule detects network events that may indicate the use of SSH traffic from the Internet. SSH is commonly used by
 system administrators to remotely control a system using the command line shell. If it is exposed to the Internet, it
 should be done with strong security controls as it is frequently targeted and exploited by threat actors as an initial
-access or back-door vector.
+access or backdoor vector.
 """
 false_positives = [
     """
diff --git a/rules/_deprecated/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml b/rules/_deprecated/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml
index 4611c786a..c22bb27e9 100644
--- a/rules/_deprecated/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml
+++ b/rules/_deprecated/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml
@@ -10,7 +10,7 @@ description = """
 This rule detects network events that may indicate the use of RDP traffic to the Internet. RDP is commonly used by
 system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be
 directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
-back-door vector.
+backdoor vector.
 """
 false_positives = [
     """
diff --git a/rules/apm/apm_403_response_to_a_post.toml b/rules/apm/apm_403_response_to_a_post.toml
index 27bd6cd3d..a9f084b85 100644
--- a/rules/apm/apm_403_response_to_a_post.toml
+++ b/rules/apm/apm_403_response_to_a_post.toml
@@ -7,7 +7,7 @@ updated_date = "2021/07/13"
 author = ["Elastic"]
 description = """
 A POST request to web application returned a 403 response, which indicates the web application declined to process the
-request because the action requested was not allowed
+request because the action requested was not allowed.
 """
 false_positives = [
     """
diff --git a/rules/apm/apm_405_response_method_not_allowed.toml b/rules/apm/apm_405_response_method_not_allowed.toml
index 1872216df..417cea801 100644
--- a/rules/apm/apm_405_response_method_not_allowed.toml
+++ b/rules/apm/apm_405_response_method_not_allowed.toml
@@ -7,7 +7,7 @@ updated_date = "2021/07/13"
 author = ["Elastic"]
 description = """
 A request to web application returned a 405 response which indicates the web application declined to process the request
-because the HTTP method is not allowed for the resource
+because the HTTP method is not allowed for the resource.
 """
 false_positives = [
     """
diff --git a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml
index 26ef78dfd..8f0c80758 100644
--- a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml
+++ b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml
@@ -7,7 +7,7 @@ updated_date = "2021/05/17"
 author = ["Elastic", "Austin Songer"]
 description = """
 Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an
-attempt to brute force a password or single sign-on token.
+attempt to brute force a password or SSO token.
 """
 false_positives = [
     """
diff --git a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml
index bc30e7a2b..6b36e1caf 100644
--- a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml
+++ b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml
@@ -9,7 +9,7 @@ description = """
 This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for
 Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques
 of an advanced adversary in a network. Modifications to the Packetbeat configuration can be made to include MD5 and
-SHA256 hashing algorithms (the default is SHA1) - see the Reference section for additional information on module
+SHA256 hashing algorithms (the default is SHA1) - see the References section for additional information on module
 configuration.
 """
 from = "now-9m"
diff --git a/rules/network/command_and_control_dns_directly_to_the_internet.toml b/rules/network/command_and_control_dns_directly_to_the_internet.toml
index 1ae99a778..3c3130887 100644
--- a/rules/network/command_and_control_dns_directly_to_the_internet.toml
+++ b/rules/network/command_and_control_dns_directly_to_the_internet.toml
@@ -7,9 +7,9 @@ updated_date = "2021/05/26"
 author = ["Elastic"]
 description = """
 This rule detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior
-for a managed network, and can be indicative of malware, exfiltration, command and control, or, simply,
+for a managed network, and can be indicative of malware, exfiltration, command and control, or simply,
 misconfiguration. This DNS activity also impacts your organization's ability to provide enterprise monitoring and
-logging of DNS, and opens your network to a variety of abuses and malicious communications.
+logging of DNS and opens your network to a variety of abuses and malicious communications.
 """
 false_positives = [
     """
diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml
index 4922735a5..ab8181b80 100644
--- a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml
+++ b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml
@@ -9,7 +9,7 @@ description = """
 This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by
 system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be
 directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
-back-door vector.
+backdoor vector.
 """
 false_positives = [
     """
diff --git a/rules/network/command_and_control_telnet_port_activity.toml b/rules/network/command_and_control_telnet_port_activity.toml
index 32bcc62ff..d9268145c 100644
--- a/rules/network/command_and_control_telnet_port_activity.toml
+++ b/rules/network/command_and_control_telnet_port_activity.toml
@@ -7,9 +7,9 @@ updated_date = "2021/03/03"
 author = ["Elastic"]
 description = """
 This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system
-administrators to remotely control older or embed ed systems using the command line shell. It should almost never be
+administrators to remotely control older or embedded systems using the command line shell. It should almost never be
 directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
-back-door vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing
+backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing
 the traffic.
 """
 false_positives = [
diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml
index de317d092..25c22a1f8 100644
--- a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml
+++ b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml
@@ -9,7 +9,7 @@ description = """
 This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by
 system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be
 directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
-back-door vector.
+backdoor vector.
 """
 false_positives = [
     """
diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml
index 28dbff924..4e2af0def 100644
--- a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml
+++ b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml
@@ -9,7 +9,7 @@ description = """
 This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by
 system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be
 directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
-back-door vector.
+backdoor vector.
 """
 false_positives = [
     """
diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml
index 5e2ad5b39..e7404a012 100644
--- a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml
+++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml
@@ -9,7 +9,7 @@ description = """
 This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by
 system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be
 directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
-back-door vector.
+backdoor vector.
 """
 from = "now-9m"
 index = ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml
index 8ef1c4a35..b03ebd5c0 100644
--- a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml
+++ b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml
@@ -9,7 +9,7 @@ description = """
 This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by
 system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be
 directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
-back-door vector.
+backdoor vector.
 """
 from = "now-9m"
 index = ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml
index 84a3119a6..9eaceac7e 100644
--- a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml
+++ b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml
@@ -9,7 +9,7 @@ description = """
 This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to
 the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted
 systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by
-threat actors as an initial access or back-door vector or for data exfiltration.
+threat actors as an initial access or backdoor vector or for data exfiltration.
 """
 from = "now-9m"
 index = ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml
index 067004551..01068897b 100644
--- a/rules/windows/execution_ms_office_written_file.toml
+++ b/rules/windows/execution_ms_office_written_file.toml
@@ -7,7 +7,7 @@ updated_date = "2021/07/19"
 author = ["Elastic"]
 description = """
 Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often
-launched via scripts inside documents or during exploitation of MS Office applications.
+launched via scripts inside documents or during exploitation of Microsoft Office applications.
 """
 from = "now-120m"
 index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]