Revert "Back-porting Version Trimming (#3681)"

This reverts commit 71d2c59b5c.

rules/linux/execution_shell_via_background_process.toml

@@ -2,13 +2,15 @@
 creation_date = "2023/09/20"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2024/03/08"
 
 [rule]
 author = ["Elastic"]
 description = """
-Monitors for the execution of background processes with process arguments capable of opening a socket in the /dev/tcp
-channel. This may indicate the creation of a backdoor reverse connection, and should be investigated further.
+Monitors for the execution of background processes with process arguments capable of opening a socket in the /dev/tcp 
+channel. This may indicate the creation of a backdoor reverse connection, and should be investigated further. 
 """
 from = "now-9m"
 index = ["logs-endpoint.events.*", "endgame-*"]
@@ -43,51 +45,49 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
 For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 """
 severity = "medium"
-tags = [
-    "Domain: Endpoint",
-    "OS: Linux",
-    "Use Case: Threat Detection",
-    "Tactic: Execution",
-    "Data Source: Elastic Defend",
-    "Data Source: Elastic Endgame",
-]
 timestamp_override = "event.ingested"
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "Use Case: Threat Detection",
+        "Tactic: Execution",
+        "Data Source: Elastic Defend",
+        "Data Source: Elastic Endgame"
+        ]
 type = "eql"
-
 query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and 
 process.name in ("setsid", "nohup") and process.args : "*/dev/tcp/*0>&1*" and 
 process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+name = "Execution"
+id = "TA0002"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+
 [[rule.threat.technique]]
 id = "T1059"
 name = "Command and Scripting Interpreter"
 reference = "https://attack.mitre.org/techniques/T1059/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1059.004"
 name = "Unix Shell"
 reference = "https://attack.mitre.org/techniques/T1059/004/"
 
-
-
-[rule.threat.tactic]
-id = "TA0002"
-name = "Execution"
-reference = "https://attack.mitre.org/tactics/TA0002/"
 [[rule.threat]]
 framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1071"
-name = "Application Layer Protocol"
-reference = "https://attack.mitre.org/techniques/T1071/"
-
 
 [rule.threat.tactic]
-id = "TA0011"
 name = "Command and Control"
+id = "TA0011"
 reference = "https://attack.mitre.org/tactics/TA0011/"
 
+[[rule.threat.technique]]
+name = "Application Layer Protocol"
+id = "T1071"
+reference = "https://attack.mitre.org/techniques/T1071/"