[Security Content] Small tweaks on the setup guides (#3308)

* [Security Content] Small tweaks on the setup guides

* Additional Fixes

* Avoid touching deprecated rules

rules/linux/execution_shell_evasion_linux_binary.toml

@@ -62,7 +62,6 @@ Initiate the incident response process based on the outcome of the triage.
   - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.
 - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
 - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
-
 """
 references = [
     "https://gtfobins.github.io/gtfobins/apt/",
@@ -93,7 +92,7 @@ references = [
 ]
 risk_score = 47
 rule_id = "52376a86-ee86-4967-97ae-1a05f55816f0"
-setup = """
+setup = """## Setup
 
 This rule requires data coming in from Elastic Defend.
 
@@ -126,7 +125,6 @@ Session View uses process data collected by the Elastic Defend integration, but
 - If you want to include file and network alerts in Session View, check the boxes for “Network and File events”.
 - If you want to enable terminal output capture, turn on the “Capture terminal output” toggle.
 For more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html).
-
 """
 severity = "medium"
 tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]