Move Setup information into setup filed (#3206)

rules/linux/execution_shell_evasion_linux_binary.toml

@@ -63,7 +63,37 @@ Initiate the incident response process based on the outcome of the triage.
 - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
 - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 
-## Setup
+"""
+references = [
+    "https://gtfobins.github.io/gtfobins/apt/",
+    "https://gtfobins.github.io/gtfobins/apt-get/",
+    "https://gtfobins.github.io/gtfobins/nawk/",
+    "https://gtfobins.github.io/gtfobins/mawk/",
+    "https://gtfobins.github.io/gtfobins/awk/",
+    "https://gtfobins.github.io/gtfobins/gawk/",
+    "https://gtfobins.github.io/gtfobins/busybox/",
+    "https://gtfobins.github.io/gtfobins/c89/",
+    "https://gtfobins.github.io/gtfobins/c99/",
+    "https://gtfobins.github.io/gtfobins/cpulimit/",
+    "https://gtfobins.github.io/gtfobins/crash/",
+    "https://gtfobins.github.io/gtfobins/env/",
+    "https://gtfobins.github.io/gtfobins/expect/",
+    "https://gtfobins.github.io/gtfobins/find/",
+    "https://gtfobins.github.io/gtfobins/flock/",
+    "https://gtfobins.github.io/gtfobins/gcc/",
+    "https://gtfobins.github.io/gtfobins/mysql/",
+    "https://gtfobins.github.io/gtfobins/nice/",
+    "https://gtfobins.github.io/gtfobins/ssh/",
+    "https://gtfobins.github.io/gtfobins/vi/",
+    "https://gtfobins.github.io/gtfobins/vim/",
+    "https://gtfobins.github.io/gtfobins/capsh/",
+    "https://gtfobins.github.io/gtfobins/byebug/",
+    "https://gtfobins.github.io/gtfobins/git/",
+    "https://gtfobins.github.io/gtfobins/ftp/",
+]
+risk_score = 47
+rule_id = "52376a86-ee86-4967-97ae-1a05f55816f0"
+setup = """
 
 This rule requires data coming in from Elastic Defend.
 
@@ -100,35 +130,6 @@ For more information about the additional fields collected when this setting is
 the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html).
 
 """
-references = [
-    "https://gtfobins.github.io/gtfobins/apt/",
-    "https://gtfobins.github.io/gtfobins/apt-get/",
-    "https://gtfobins.github.io/gtfobins/nawk/",
-    "https://gtfobins.github.io/gtfobins/mawk/",
-    "https://gtfobins.github.io/gtfobins/awk/",
-    "https://gtfobins.github.io/gtfobins/gawk/",
-    "https://gtfobins.github.io/gtfobins/busybox/",
-    "https://gtfobins.github.io/gtfobins/c89/",
-    "https://gtfobins.github.io/gtfobins/c99/",
-    "https://gtfobins.github.io/gtfobins/cpulimit/",
-    "https://gtfobins.github.io/gtfobins/crash/",
-    "https://gtfobins.github.io/gtfobins/env/",
-    "https://gtfobins.github.io/gtfobins/expect/",
-    "https://gtfobins.github.io/gtfobins/find/",
-    "https://gtfobins.github.io/gtfobins/flock/",
-    "https://gtfobins.github.io/gtfobins/gcc/",
-    "https://gtfobins.github.io/gtfobins/mysql/",
-    "https://gtfobins.github.io/gtfobins/nice/",
-    "https://gtfobins.github.io/gtfobins/ssh/",
-    "https://gtfobins.github.io/gtfobins/vi/",
-    "https://gtfobins.github.io/gtfobins/vim/",
-    "https://gtfobins.github.io/gtfobins/capsh/",
-    "https://gtfobins.github.io/gtfobins/byebug/",
-    "https://gtfobins.github.io/gtfobins/git/",
-    "https://gtfobins.github.io/gtfobins/ftp/",
-]
-risk_score = 47
-rule_id = "52376a86-ee86-4967-97ae-1a05f55816f0"
 severity = "medium"
 tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 timestamp_override = "event.ingested"