This detection rule is designed to identify reverse shell commands executed on UNIX-like systems, a tactic commonly used by adversaries to gain unauthorized access and control over target machines. The rule focuses on detecting specific patterns of command execution that facilitate reverse shell connections, enabling attackers to interact with compromised systems remotely. It leverages the `get_endpoint_data` and `get_endpoint_data_unix` functions to parse command-line interactions captured in Linux audit logs and process command-line parameters. The rule employs various terms (e.g., `nc`, `bash`, `sh`, `python`, `php`, `ncat`) to match, identifying potentially malicious commands that establish outbound connections to an attacker's machine via reverse shells. Additionally, it extracts relevant process data with regular expressions and compiles statistics on usage across specified parameters, tracking execution timelines, users, and processes involved in such activities. This enables security teams to monitor for and respond to potential threats effectively.