This analytic rule monitors network connections through the Cisco Secure Firewall Threat Defense to detect potential reverse shell activities using unusual ports, which are often utilized by malicious actors for command and control (C2) communications or unauthorized access. The rule focuses on high-risk, non-standard ports such as 4444, 2222, and 51820, which are commonly associated with remote access tools and shell listeners like netcat and Meterpreter. By leveraging log data from connection events, the rule checks for any connections to these suspicious ports and generates alerts when potentially malicious activity is identified. Organizations should be cautious of legitimate applications that may use these ports and ensure a thorough validation process is in place before escalating any incidents.