diff --git a/rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml b/rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml
similarity index 94%
rename from rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml
rename to rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml
index af21e4fc4..861b13bbc 100644
--- a/rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml
+++ b/rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml
@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2023/07/04"
+deprecation_date = "2023/11/02"
 integration = ["endpoint"]
-maturity = "production"
+maturity = "deprecated"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 updated_date = "2023/11/02"
@@ -10,8 +11,8 @@ updated_date = "2023/11/02"
 author = ["Elastic"]
 description = """
 This detection rule detects the creation of a shell through a suspicious parent child relationship. Any reverse shells
-spawned by the specified utilities that use a forked process to initialize the connection attempt will be captured 
-through this rule. Attackers may spawn reverse shells to establish persistence onto a target system. 
+spawned by the specified utilities that use a forked process to initialize the connection attempt will be captured
+through this rule. Attackers may spawn reverse shells to establish persistence onto a target system.
 """
 from = "now-9m"
 index = ["logs-endpoint.events.*"]
@@ -20,12 +21,11 @@ license = "Elastic License v2"
 name = "Deprecated - Potential Reverse Shell via Suspicious Parent Process"
 note = "This rule was deprecated due to its addition to the umbrella `Potential Reverse Shell via Suspicious Child Process` (76e4d92b-61c1-4a95-ab61-5fd94179a1ee) rule."
 references = [
-    "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"
+    "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md",
 ]
 risk_score = 47
 rule_id = "4b1a807a-4e7b-414e-8cea-24bf580f6fc5"
 setup = """
-
 This rule requires data coming in from Elastic Defend.
 
 ### Elastic Defend Integration Setup
@@ -51,8 +51,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
 
 """
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "Use Case: Threat Detection",
+    "Tactic: Execution",
+    "Data Source: Elastic Defend",
+]
 type = "eql"
+
 query = '''
 sequence by host.id, process.parent.entity_id with maxspan=1s
 [ process where host.os.type == "linux" and event.type == "start" and event.action == "fork" and (
@@ -71,33 +78,34 @@ sequence by host.id, process.parent.entity_id with maxspan=1s
   destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" ]
 '''
 
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
-
-[rule.threat.tactic]
-name = "Execution"
-id = "TA0002"
-reference = "https://attack.mitre.org/tactics/TA0002/"
-
 [[rule.threat.technique]]
 id = "T1059"
 name = "Command and Scripting Interpreter"
 reference = "https://attack.mitre.org/techniques/T1059/"
-
 [[rule.threat.technique.subtechnique]]
 id = "T1059.004"
 name = "Unix Shell"
 reference = "https://attack.mitre.org/techniques/T1059/004/"
 
-[[rule.threat]]
-framework = "MITRE ATT&CK"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1071"
+name = "Application Layer Protocol"
+reference = "https://attack.mitre.org/techniques/T1071/"
+
 
 [rule.threat.tactic]
-name = "Command and Control"
 id = "TA0011"
+name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
 
-[[rule.threat.technique]]
-name = "Application Layer Protocol"
-id = "T1071"
-reference = "https://attack.mitre.org/techniques/T1071/"
diff --git a/rules/linux/execution_shell_via_background_process.toml b/rules/linux/execution_shell_via_background_process.toml
index e1e181aea..66e4580b3 100644
--- a/rules/linux/execution_shell_via_background_process.toml
+++ b/rules/linux/execution_shell_via_background_process.toml
@@ -47,12 +47,7 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
 """
 severity = "medium"
 timestamp_override = "event.ingested"
-tags = ["Domain: Endpoint",
-        "OS: Linux",
-        "Use Case: Threat Detection",
-        "Tactic: Execution",
-        "Data Source: Elastic Defend"
-        ]
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
 type = "eql"
 query = '''
 process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
diff --git a/rules/linux/execution_shell_via_child_tcp_utility_linux.toml b/rules/linux/execution_shell_via_child_tcp_utility_linux.toml
new file mode 100644
index 000000000..e16d6f7ae
--- /dev/null
+++ b/rules/linux/execution_shell_via_child_tcp_utility_linux.toml
@@ -0,0 +1,102 @@
+[metadata]
+creation_date = "2023/11/02"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/11/02"
+
+[rule]
+author = ["Elastic"]
+description = """
+This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This
+activity consists of a network event that is followed by the creation of a shell process with suspicious command line
+arguments. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Reverse Shell via Child"
+references = [
+    "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"
+]
+risk_score = 47
+rule_id = "2138bb70-5a5e-42fd-be5e-b38edf6a6777"
+setup = """
+
+This rule requires data coming in from Elastic Defend.
+
+### Elastic Defend Integration Setup
+Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
+the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
+
+#### Prerequisite Requirements:
+- Fleet is required for Elastic Defend.
+- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
+
+#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
+- Go to the Kibana home page and click Add integrations.
+- In the query bar, search for Elastic Defend and select the integration to see more details about it.
+- Click Add Elastic Defend.
+- Configure the integration name and optionally add a description.
+- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
+- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
+- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
+- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
+For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
+- Click Save and Continue.
+- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
+For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+
+"""
+severity = "medium"
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "Use Case: Threat Detection",
+        "Tactic: Execution",
+        "Data Source: Elastic Defend"
+        ]
+type = "eql"
+query = '''
+sequence by host.id, process.entity_id with maxspan=5s
+  [network where event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and 
+   process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") and destination.ip != null and 
+   not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")]
+  [process where event.type == "start" and event.action == "exec" and 
+   process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and (
+     (process.args : ("-i", "-l")) or (process.parent.name == "socat" and process.parent.args : "*exec*")
+   )]
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+name = "Execution"
+id = "TA0002"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1059.004"
+name = "Unix Shell"
+reference = "https://attack.mitre.org/techniques/T1059/004/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+name = "Command and Control"
+id = "TA0011"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+
+[[rule.threat.technique]]
+name = "Application Layer Protocol"
+id = "T1071"
+reference = "https://attack.mitre.org/techniques/T1071/"
diff --git a/rules/linux/execution_shell_via_java_revshell_linux.toml b/rules/linux/execution_shell_via_java_revshell_linux.toml
index 57df034c2..a23b2e45d 100644
--- a/rules/linux/execution_shell_via_java_revshell_linux.toml
+++ b/rules/linux/execution_shell_via_java_revshell_linux.toml
@@ -49,7 +49,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
 
 """
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "Use Case: Threat Detection",
+        "Tactic: Execution",
+        "Data Source: Elastic Defend"
+        ]
 type = "eql"
 query = '''
 sequence by host.id with maxspan=5s
@@ -57,9 +63,14 @@ sequence by host.id with maxspan=5s
    process.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and
    destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1"
   ] by process.entity_id
-  [process where host.os.type == "linux" and event.action == "exec" and 
-   process.parent.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and
-   process.parent.args : "-jar" and process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
+  [process where host.os.type == "linux" and event.action == "exec" and process.parent.executable : (
+    "/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*"
+  ) and process.parent.args : "-jar" and process.name in (
+    "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish"
+  ) and not process.args : (
+    "-xe", "/tmp/jenkins*.sh", "*/var/lib/jenkins/workspace/*", "vmstat*", "asterisk*", "mpstat*", "/usr/bin/ps*", "umask", "*yum*", "uptime -s",
+    "df -h . | awk '{print $2}'", "free | awk \"/Mem:/\" | awk '{print $2}'"
+  )
   ] by process.parent.entity_id
 '''
 
diff --git a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml
index abbf54a9e..12699249b 100644
--- a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml
+++ b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml
@@ -76,7 +76,9 @@ sequence by host.id, process.entity_id with maxspan=1s
     (process.name : "php*" and process.args : "-r" and process.args : "*fsockopen*" and process.args : "*/bin/*sh*") or 
     (process.name : ("awk", "gawk", "mawk", "nawk") and process.args : "*/inet/tcp/*") or
     (process.name : "openssl" and process.args : "-connect") or
-    (process.name : ("nc", "ncat", "netcat") and process.args_count >= 3 and not process.args == "-z") or
+    (process.name : ("nc", "ncat", "netcat") and process.args_count >= 3 and not process.args in (
+      "-z", "-zv", "-vz", "-v"
+    )) or
     (process.name : "telnet" and process.args_count >= 3)
   ) and process.parent.name : (
     "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "php*", "perl", "ruby", "lua*",
diff --git a/rules/linux/execution_shell_via_meterpreter_linux.toml b/rules/linux/execution_shell_via_meterpreter_linux.toml
index 202e77942..655c756f5 100644
--- a/rules/linux/execution_shell_via_meterpreter_linux.toml
+++ b/rules/linux/execution_shell_via_meterpreter_linux.toml
@@ -60,7 +60,12 @@ However, if more advanced configuration is required to detect specific behavior,
 
 """
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"]
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "Use Case: Threat Detection",
+        "Tactic: Execution"
+        ]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
diff --git a/rules/linux/execution_shell_via_suspicious_binary.toml b/rules/linux/execution_shell_via_suspicious_binary.toml
index fa8380a08..5b9480d19 100644
--- a/rules/linux/execution_shell_via_suspicious_binary.toml
+++ b/rules/linux/execution_shell_via_suspicious_binary.toml
@@ -51,7 +51,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
 
 """
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "Use Case: Threat Detection",
+        "Tactic: Execution",
+        "Data Source: Elastic Defend"
+        ]
 type = "eql"
 query = '''
 sequence by host.id, process.entity_id with maxspan=1s
diff --git a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
index 65cad55c5..e6b9d6370 100644
--- a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
+++ b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
@@ -50,17 +50,23 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
 
 """
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "Use Case: Threat Detection",
+        "Tactic: Execution",
+        "Data Source: Elastic Defend"
+        ]
 type = "eql"
 query = '''
-sequence by host.id with maxspan=1s
-  [network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and 
-   process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") and 
-   destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1"] by process.entity_id
-  [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "fork") and 
-   process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and 
-   process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") and not 
-   process.args : "*imunify360-agent*"] by process.parent.entity_id
+sequence by host.id with maxspan=5s
+  [network where event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and 
+   process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") and destination.ip != null and 
+   not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] by process.entity_id
+  [process where event.type == "start" and event.action in ("exec", "fork") and 
+   process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and (
+     (process.args : ("-i", "-l")) or (process.parent.name == "socat" and process.parent.args : "*exec*")
+   )] by process.parent.entity_id
 '''
 
 [[rule.threat]]
diff --git a/rules_building_block/discovery_suspicious_which_command_execution.toml b/rules_building_block/discovery_suspicious_which_command_execution.toml
index 131216f02..25c1d6c0e 100644
--- a/rules_building_block/discovery_suspicious_which_command_execution.toml
+++ b/rules_building_block/discovery_suspicious_which_command_execution.toml
@@ -22,7 +22,14 @@ name = "Suspicious which Enumeration"
 risk_score = 21
 rule_id = "5b18eef4-842c-4b47-970f-f08d24004bde"
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Rule Type: BBR"]
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "Use Case: Threat Detection",
+        "Tactic: Discovery",
+        "Data Source: Elastic Defend",
+        "Rule Type: BBR"
+        ]
 timestamp_override = "event.ingested"
 type = "eql"
 building_block_type = "default"