diff --git a/rules/admin/package-install.yara b/rules/admin/package-install.yara
index e3952b84..c2cb330e 100644
--- a/rules/admin/package-install.yara
+++ b/rules/admin/package-install.yara
@@ -1,4 +1,4 @@
-rule yum_installer : suspicious {
+rule yum_installer : notable {
   meta:
 	description = "Installs software using yum"
   strings:
@@ -7,7 +7,7 @@ rule yum_installer : suspicious {
 	$val
 }
 
-rule dnf_installer : suspicious {
+rule dnf_installer : notable {
   meta:
 	description = "Installs software using dnf"
   strings:
@@ -16,7 +16,7 @@ rule dnf_installer : suspicious {
 	$val
 }
 
-rule rpm_installer : suspicious {
+rule rpm_installer : notable {
   meta:
 	description = "Installs software using rpm"
   strings:
@@ -25,7 +25,7 @@ rule rpm_installer : suspicious {
 	$val
 }
 
-rule apt_installer : suspicious {
+rule apt_installer : notable {
   meta:
 	description = "Installs software using apt"
   strings:
@@ -34,7 +34,7 @@ rule apt_installer : suspicious {
 	$val
 }
 
-rule apt_get_installer : suspicious {
+rule apt_get_installer : notable {
   meta:
 	description = "Installs software using apt-get"
   strings:
@@ -45,7 +45,7 @@ rule apt_get_installer : suspicious {
 	$val and not $foo
 }
 
-rule apk_installer : suspicious {
+rule apk_installer : notable {
   meta:
 	description = "Installs software using APK"
   strings:
@@ -62,18 +62,3 @@ rule pip_installer_regex : notable {
   condition:
 	any of them
 }
-
-rule pip_installer : suspicious {
-  meta:
-	description = "Installs software using pip from python"
-  strings:
-    $pip_install = "os.system('pip install"
-    $pip_install_spaces = "'pip', 'install'"
-    $pip_install_args = "'pip','install'"
-    $pip3_install = "os.system('pip3 install"
-    $pip3_install_spaces = "'pip3', 'install'"
-    $pip3_install_args = "'pip3','install'"
-  condition:
-	any of them
-}
-
diff --git a/rules/admin/pip_install.yara b/rules/admin/pip_install.yara
new file mode 100644
index 00000000..9859387b
--- /dev/null
+++ b/rules/admin/pip_install.yara
@@ -0,0 +1,14 @@
+rule pip_installer : suspicious {
+  meta:
+	description = "Installs software using pip from python"
+  strings:
+    $pip_install = "os.system('pip install"
+    $pip_install_spaces = "'pip', 'install'"
+    $pip_install_args = "'pip','install'"
+    $pip3_install = "os.system('pip3 install"
+    $pip3_install_spaces = "'pip3', 'install'"
+    $pip3_install_args = "'pip3','install'"
+  condition:
+	any of them
+}
+
diff --git a/rules/admin/shutdown.yara b/rules/admin/shutdown.yara
index 3f63a732..1dcf212c 100644
--- a/rules/admin/shutdown.yara
+++ b/rules/admin/shutdown.yara
@@ -1,5 +1,5 @@
 
-rule shutdown_s : suspicious {
+rule shutdown_val : notable {
   meta:
 	description = "calls shutdown command"
   strings:
diff --git a/rules/combo/backdoor/php.yara b/rules/combo/backdoor/php.yara
index d1e701d1..3077f03c 100644
--- a/rules/combo/backdoor/php.yara
+++ b/rules/combo/backdoor/php.yara
@@ -9,7 +9,7 @@ rule php_possible_backdoor : critical {
     hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e"
     hash_2023_0xShell_wesoori = "bab1040a9e569d7bf693ac907948a09323c5f7e7005012f7b75b5c1b2ced10ad"
   strings:
-    $php = "php"
+    $php = "<?php"
     $php_or = "<? "
     $f_base64_decode = "base64_decode"
     $f_strrev = "strrev"
@@ -77,6 +77,7 @@ rule php_bin_hashbang : critical {
 
 rule php_urlvar_recon_exec : critical {
   meta:
+	description = "Runs programs, gets URL data, and looks up system info"
     ref = "Backdoor.PHP.Llama"
     hash_2023_PHP_Backdoor_PHP_Goonshell_a = "42e5fafe25af2d2600691a26144cc47320ccfd07a224b72452dfa7de2e86ece3"
     hash_2023_PHP_Backdoor_PHP_Llama = "8de0f8ef54bff5e3b694b7585dc66ef9fd5a4b019a6650b8a2211db888e59dac"
@@ -87,6 +88,8 @@ rule php_urlvar_recon_exec : critical {
     hash_2023_Sysrv_Hello_sys_x86_64 = "cd784dc1f7bd95cac84dc696d63d8c807129ef47b3ce08cd08afb7b7456a8cd3"
     hash_2023_0xShell_0xShellori = "506e12e4ce1359ffab46038c4bf83d3ab443b7c5db0d5c8f3ad05340cb09c38e"
   strings:
+    $php = "<?php"
+
     $e_popen = "popen("
     $e_exec = "exec("
     $f_uname = "uname("
@@ -96,7 +99,7 @@ rule php_urlvar_recon_exec : critical {
 
 	$not_php = "PHP_VERSION_ID"
   condition:
-    any of ($e*) and any of ($f*) and any of ($x*) and none of ($not*)
+    any of ($p*) and any of ($e*) and any of ($f*) and any of ($x*) and none of ($not*)
 }
 
 rule php_system_to_perl {
diff --git a/rules/combo/recon/capabilities.yara b/rules/combo/recon/capabilities.yara
index 14d7e744..a24028c2 100644
--- a/rules/combo/recon/capabilities.yara
+++ b/rules/combo/recon/capabilities.yara
@@ -1,6 +1,6 @@
-rule hostinfo_collector : suspicious {
+rule process_capabilities_val : notable {
   meta:
-	description = "enumerates process capabilities"
+	description = "enumerates Linux capabilities for process"
   strings:
 	$capsh = "capsh" fullword
 	$self_status = "/proc/self/status"
diff --git a/rules/combo/stealer/browser.yara b/rules/combo/stealer/browser.yara
index ad47140c..af3ed572 100644
--- a/rules/combo/stealer/browser.yara
+++ b/rules/combo/stealer/browser.yara
@@ -54,10 +54,13 @@ rule multiple_browser_credentials_2 {
 }
 
 
-rule multiple_browser_refs : suspicious {
+rule multiple_browser_refs : notable {
   meta:
 	description = "Uses HTTP, archives, and references multiple browsers"
   strings:
+	$d_config = ".config" fullword
+	$d_app_support = "Application Support" fullword
+
 	$h_http = "http" fullword
 	$h_POST = "POST" fullword
 
@@ -72,5 +75,5 @@ rule multiple_browser_refs : suspicious {
 	$b_Safari = "Safari"
 	$b_Chrome = "Chrome"
   condition:
-    any of ($h*) and any of ($z*) and 2 of ($b*)
+    any of ($d*) and any of ($h*) and any of ($z*) and 2 of ($b*)
 }
diff --git a/rules/combo/stealer/telegram.yara b/rules/combo/stealer/telegram.yara
index f13f21ec..d28de677 100644
--- a/rules/combo/stealer/telegram.yara
+++ b/rules/combo/stealer/telegram.yara
@@ -2,8 +2,7 @@ rule discord_password_post_chat : suspicious {
   meta:
 	description = "gets passwords, makes HTTP requests, and uses Telegram"
   strings:
-	$c3 = "api.telegram"
-	$c4 = "Telegram"
+	$c3 = "api.telegram.org"
 
 	$h1 = "get("
 	$h2 = "post("
diff --git a/rules/combo/wiper/crypto.yara b/rules/combo/wiper/crypto.yara
index d1449e3e..0a9f0982 100644
--- a/rules/combo/wiper/crypto.yara
+++ b/rules/combo/wiper/crypto.yara
@@ -1,6 +1,7 @@
 
 rule uname_hostname_encrypt_wipe_kill : suspicious {
   meta:
+	description = "May encrypt, wipe files, and kill processes"
     hash_2023_Royal = "06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725"
     hash_2023_blackcat_x64 = "45b8678f74d29c87e2d06410245ab6c2762b76190594cafc9543fb9db90f3d4f"
     hash_2021_miner_gkqjh = "00ae07c9fe63b080181b8a6d59c6b3b6f9913938858829e5a42ab90fb72edf7a"
diff --git a/rules/combo/worm/ssh.yara b/rules/combo/worm/ssh.yara
index a0c2cc6f..f26b76de 100644
--- a/rules/combo/worm/ssh.yara
+++ b/rules/combo/worm/ssh.yara
@@ -10,8 +10,10 @@ rule ssh_snake_worm : suspicious {
 
 	$u_base64 = "base64"
 	$u_uname = "uname"
+
+	$strict_host = "StrictHostKeyChecking"
   condition:
-	all of ($s*) and any of ($h*) and any of ($u*)
+	$strict_host and all of ($s*) and any of ($h*) and any of ($u*)
 }
 
 rule ssh_worm_router : suspicious {
diff --git a/rules/crypto/file-encrypter.yara b/rules/crypto/file-encrypter.yara
index 2e4182f1..9036b58c 100644
--- a/rules/crypto/file-encrypter.yara
+++ b/rules/crypto/file-encrypter.yara
@@ -1,4 +1,4 @@
-rule file_crypter : suspicious {
+rule file_crypter : notable {
 	meta:
 		description = "Encrypts files"
 	strings:
diff --git a/rules/device/pseudo_terminal.yara b/rules/device/pseudo_terminal.yara
index d33c9c22..54533ff9 100644
--- a/rules/device/pseudo_terminal.yara
+++ b/rules/device/pseudo_terminal.yara
@@ -11,9 +11,9 @@ rule pty : notable {
 		2 of them
 }
 
-rule go_pty : suspicious {
+rule go_pty : notable {
 	meta:
-		description = "pseudo-terminal access"
+		description = "pseudo-terminal access from Go"
 	strings:
 		$ref = "creack/pty"
 	condition:
diff --git a/rules/evasion/base64-decode.yara b/rules/evasion/base64-decode.yara
index 11ba0903..7c225e77 100644
--- a/rules/evasion/base64-decode.yara
+++ b/rules/evasion/base64-decode.yara
@@ -1,8 +1,16 @@
-rule base64_decode : suspicious python {
+rule base64_decode : notable python {
   meta:
 	description = "decodes base64 strings"
   strings:
 	$b64decode = "b64decode"
+  condition:
+	any of them
+}
+
+rule urlsafe_decode64 : notable ruby {
+  meta:
+	description = "decodes base64 strings"
+  strings:
 	$urlsafe_decode64_ruby = "urlsafe_decode64"
   condition:
 	any of them
diff --git a/rules/evasion/fake-library.yara b/rules/evasion/fake-library.yara
index cc616182..8ea6adf4 100644
--- a/rules/evasion/fake-library.yara
+++ b/rules/evasion/fake-library.yara
@@ -1,4 +1,4 @@
-rule libnetresolv_fake : suspicious {
+rule libnetresolv_fake_val : suspicious {
   meta:
     ref = "https://cert.gov.ua/article/6123309"
 	description = "references fake library - possible dynamic library hijacking"
@@ -8,7 +8,7 @@ rule libnetresolv_fake : suspicious {
     any of them
 }
 
-rule libs_fake : suspicious {
+rule libs_fake_val : suspicious {
   meta:
     ref = "https://cert.gov.ua/article/6123309"
 	description = "references fake library, possible dynamic library hijacking"
@@ -19,7 +19,7 @@ rule libs_fake : suspicious {
 }
 
 
-rule libc_fake_number : suspicious {
+rule libc_fake_number_val : suspicious {
   meta:
     ref = "https://cert.gov.ua/article/6123309"
 	description = "references a non-standard libc library (normally libc.so.6)"
@@ -29,7 +29,7 @@ rule libc_fake_number : suspicious {
     any of them
 }
 
-rule hardcoded_usr_local_lib : suspicious {
+rule hardcoded_usr_local_lib_val : suspicious {
   meta:
     ref = "https://www.cadosecurity.com/migo-a-redis-miner-with-novel-system-weakening-techniques/"
 	description = "hardcodes /usr/local/lib path, possible dynamic library hijacking"
diff --git a/rules/evasion/fake-process-name.yara b/rules/evasion/fake-process-name.yara
index b2262d94..d7ac9d63 100644
--- a/rules/evasion/fake-process-name.yara
+++ b/rules/evasion/fake-process-name.yara
@@ -1,4 +1,4 @@
-rule fake_kworker : critical {
+rule fake_kworker_val : critical {
   meta:
 	description = "Pretends to be a kworker kernel thread"
   strings:
@@ -18,12 +18,12 @@ rule fake_syslogd : critical {
 	any of them
 }
 
-rule bash_sets_name : critical {
+rule bash_sets_name_val : critical {
   meta:
 	description = "uses 'exec -a' to set a process name"
 	ref = "https://www.jamf.com/blog/cryptojacking-macos-malware-discovered-by-jamf-threat-labs/"
   strings:
-	$ref = "exec -a"
+	$ref = /exec -a[ \w\/\.]{0,64}/
   condition:
 	any of them
 }
\ No newline at end of file
diff --git a/rules/evasion/fake-user-agent.yara b/rules/evasion/fake-user-agent.yara
index 7a90d31d..7d448ca9 100644
--- a/rules/evasion/fake-user-agent.yara
+++ b/rules/evasion/fake-user-agent.yara
@@ -71,9 +71,9 @@ rule elf_faker_val : high {
   meta:
 	description = "Fake user agent inside ELF binary"
   strings:
-	$ref = /Mozilla\/5[\.\w ]{0,32}/
+	$val = /Mozilla\/5[\.\w ]{0,64}/
   condition:
-    uint32(0) == 1179403647 and $ref
+    uint32(0) == 1179403647 and $val
 }
 
 
diff --git a/rules/exfil/telegram.yara b/rules/exfil/telegram.yara
index 0d5e6f8d..54552d99 100644
--- a/rules/exfil/telegram.yara
+++ b/rules/exfil/telegram.yara
@@ -1,4 +1,3 @@
-
 rule telegram_bot : suspicious {
   meta:
     ref = "https://github.com/bartblaze/community/blob/3f3997f8c79c3605ae6d5324c8578cb12c452512/data/yara/binaries/indicator_suspicious.yar#L676"
diff --git a/rules/net/fetch-suspicious.yara b/rules/net/fetch-suspicious.yara
index ced9db53..f452003c 100644
--- a/rules/net/fetch-suspicious.yara
+++ b/rules/net/fetch-suspicious.yara
@@ -30,7 +30,7 @@ rule suspicious_fetch_command_val : suspicious {
     hash_2021_trojan_Gafgyt_DDoS = "1f94aa7ad1803a08dab3442046c9d96fc3d19d62189f541b07ed732e0d62bf05"
     hash_2021_trojan_Gafgyt_23DZ = "b34bb82ef2a0f3d02b93ed069fee717bd1f9ed9832e2d51b0b2642cb0b4f3891"
   strings:
-    $c_curl_d = /curl [\- \w]{0,16}-[ALCdOok][\/\- \w\%\(\{\}\'\"\)\$]{0,128}/
+    $c_curl_d = /curl [\- \w]{0,16}-[dOok][\/\- \w\%\(\{\}\'\"\)\$]{0,128}/
     $c_curl_insecure = /curl [\- \w]{0,128}--insecure[\/\- \w\%\(\{\}\'\"\)\$]{0,128}/
     $c_kinda_curl_silent_insecure = "--silent --insecure"
     $c_kinda_curl_silent_k = "-k --insecure"
diff --git a/rules/net/syncookie.yara b/rules/net/syncookie.yara
index 58ea69b7..028256b3 100644
--- a/rules/net/syncookie.yara
+++ b/rules/net/syncookie.yara
@@ -1,4 +1,7 @@
-rule syn_cookie : suspicious {
+rule syn_cookie : notable {
+  meta:
+	description = "references SYN cookies, used to resist DoS attacks"
+	ref = "https://en.wikipedia.org/wiki/SYN_cookies"
   strings:
     $syncookie = "syncookie"
     $syn_cookie = "syn_cookie"
diff --git a/rules/persist/ssh_authorized_keys.yara b/rules/persist/ssh_authorized_keys.yara
index 9601643e..88ef737c 100644
--- a/rules/persist/ssh_authorized_keys.yara
+++ b/rules/persist/ssh_authorized_keys.yara
@@ -1,4 +1,4 @@
-rule ssh_authorized_key : suspicious {
+rule ssh_authorized_key_val : notable {
   meta:
     ref = "https://www.sentinelone.com/blog/macos-malware-2023-a-deep-dive-into-emerging-trends-and-evolving-techniques/"
 	description = "Accesses SSH authorized_keys"
@@ -6,6 +6,7 @@ rule ssh_authorized_key : suspicious {
 	$ssh_ = ".ssh" fullword
 	$ssh2 = "authorized_keys"
 	$not_ssh_client = "SSH_AUTH_SOCK"
+	$not_example = "/home/user/.ssh/authorized_keys"
   condition:
      all of ($ssh*) and none of ($not*)
 }
diff --git a/rules/privesc/sudo.yara b/rules/privesc/sudo.yara
index 16c4bdf7..97ea1b98 100644
--- a/rules/privesc/sudo.yara
+++ b/rules/privesc/sudo.yara
@@ -10,7 +10,7 @@ rule unusual_sudo_commands_value : suspicious {
   strings:
     $sudo_echo = /sudo echo[\"\%@\-\$\w]{0,32}/
     $sudo_u_echo = /sudo -u [\%@\-\$\w]{2,32} echo/
-    $sudo_u_args = /sudo -u [\%\$\{]{1,2}[ \%\$\w\/]{0,32}/
+    $sudo_u_args = /sudo -u [\%\$\{\}]{1,2}[ \%\$\w\/]{0,32}/
     $sudo_args =/sudo %@\"\%@\-\$\w]/
     $sudo_no_sleep = /[\|\"\w\-]{0,16}sudo -S[ \%\$\w\/]{1,32}/
     $sudo_bash = /sudo bash[\"\%@\-\$\w]{1,64}/
diff --git a/rules/ref/ip_port.yara b/rules/ref/ip_port.yara
index b52012d1..bc01c2ed 100644
--- a/rules/ref/ip_port.yara
+++ b/rules/ref/ip_port.yara
@@ -1,9 +1,13 @@
-rule hardcoded_hostport2 : high {
+rule hardcoded_ip_port : high {
   meta:
 	description = "hardcoded IP:port destination"
   strings:
     $ipv4 = /([1-9][0-9]{1,2}\.){3}[1-9][0-9]{1,2}:\d{2,5}/ fullword
 	$not_ssdp = "239.255.255.250:1900"
+	$not_2181 = "10.101.203.230:2181"
+	$not_meta = "169.254.169.254:80"
+	$not_vnc = "10.10.10.10:5900"
+	$not_azure_pgsql = "20.66.25.58:5432"
   condition:
     any of ($ip*) and none of ($not*)
 }
diff --git a/rules/ref/path/var-log.yara b/rules/ref/path/var-log.yara
index 16590a60..ec56aa51 100644
--- a/rules/ref/path/var-log.yara
+++ b/rules/ref/path/var-log.yara
@@ -12,6 +12,7 @@ rule elf_var_log_path : suspicious {
 		description = "references paths within /var/log"
 	strings:
 		$ref = /\/var\/log\/[\%\w\.\-\/]{4,32}/ fullword
+		$not_amazon = "/var/log/amazon/"
 	condition:
-		uint32(0) == 1179403647 and $ref
+		uint32(0) == 1179403647 and $ref and none of ($not*)
 }
\ No newline at end of file
diff --git a/rules/ref/site/unusual.yara b/rules/ref/site/unusual.yara
index 5d4bd935..1fc5de76 100644
--- a/rules/ref/site/unusual.yara
+++ b/rules/ref/site/unusual.yara
@@ -14,6 +14,7 @@ rule unusual_http_hostname : suspicious {
     $not_electron = "ELECTRON_RUN_AS_NODE"
     $not_mail_ru = "go.mail.ru"
     $not_rambler = "novarambler.ru"
+	$not_localhost_app = "localhostapplication"
   condition:
     any of ($http*) and none of ($not_*)
 }
diff --git a/rules/ref/site/url-unusual.yara b/rules/ref/site/url-unusual.yara
index ab04531c..cf67a0b4 100644
--- a/rules/ref/site/url-unusual.yara
+++ b/rules/ref/site/url-unusual.yara
@@ -1,7 +1,7 @@
 
 rule unusual_nodename {
   meta:
-	description = "Contains HTTP hostname with a long node namhe"
+	description = "Contains HTTP hostname with a long node name"
   strings:
     $ref = /https*:\/\/\w{16,}\//
   condition:
diff --git a/rules/ref/words/exploit.yara b/rules/ref/words/exploit.yara
index c98f9041..b6a09077 100644
--- a/rules/ref/words/exploit.yara
+++ b/rules/ref/words/exploit.yara
@@ -10,6 +10,7 @@ rule exploiter : suspicious {
 		$ref6 = "Exploit" fullword
 		$ref7 = "Exploiting" fullword
 		$ref8 = "exploiting" fullword
+		$not_ms_example = "Drive-by Compromise"
 	condition:
-		any of them
+		any of ($ref*) and none of ($not*)		
 }
\ No newline at end of file
diff --git a/rules/ref/words/implant.yara b/rules/ref/words/implant.yara
index 854ad893..e18d6104 100644
--- a/rules/ref/words/implant.yara
+++ b/rules/ref/words/implant.yara
@@ -5,6 +5,8 @@ rule implant : suspicious {
 		$ref = "implant" fullword
 		$ref2 = "IMPLANT" fullword
 		$ref3 = "Implant"
+
+		$not_ms_example = "Drive-by Compromise"
 	condition:
-		any of them
+		any of ($ref*) and none of ($not*)
 }
\ No newline at end of file
diff --git a/rules/secrets/firefox-cookies.yara b/rules/secrets/firefox-cookies.yara
index f037eb9c..71e81a01 100644
--- a/rules/secrets/firefox-cookies.yara
+++ b/rules/secrets/firefox-cookies.yara
@@ -3,9 +3,7 @@ rule firefox_cookies : suspicious {
 		description = "Accesses Firefox cookies"
 	strings:
 		$firefox = "Firefox"
-		$cookie = "cookie"
-		$cookie2 = "Cookie"
-		$sqlite = "sqlite"
+		$cookie = "cookies.sqlite"
 	condition:
-		$firefox and ($sqlite and any of ($cookie*))
+		all of them
 }
diff --git a/rules/secrets/firefox-formhistory.yara b/rules/secrets/firefox-formhistory.yara
index 5c5ffd5d..f702a609 100644
--- a/rules/secrets/firefox-formhistory.yara
+++ b/rules/secrets/firefox-formhistory.yara
@@ -3,11 +3,7 @@ rule firefox_history : suspicious {
 		description = "Accesses Firefox form history, which contains passwords"
 	strings:
 		$firefox = "Firefox"
-		// shorter ref so that it is likely to match obfuscated binaries
-		$formhist = "formhis"
-		$cookie = "cookie"
-		$cookie2 = "Cookie"
-		$sqlite = "sqlite"
+		$formhist = "formhistory.sqlite"
 	condition:
-		$firefox and ($formhist or ($sqlite and any of ($cookie*)))
+		all of them
 }
diff --git a/rules/secrets/keychain.yara b/rules/secrets/keychain.yara
index ac3ec5a3..c8d46b38 100644
--- a/rules/secrets/keychain.yara
+++ b/rules/secrets/keychain.yara
@@ -1,6 +1,6 @@
 rule keychain : notable macos {
 	meta:
-		description = "Accesses the system keychain"
+		description = "May access the macOS keychain"
 	strings:
 		$ref = "Keychain"
 		$ref2 = "keychain"
diff --git a/rules/service/systemd.yara b/rules/service/systemd.yara
index e452ca6f..3c321faf 100644
--- a/rules/service/systemd.yara
+++ b/rules/service/systemd.yara
@@ -1,4 +1,4 @@
-rule systemctl_calls_val : suspicious {
+rule systemctl_calls_val : notable {
   meta:
     hash_2023_Downloads_6e35 = "6e35b5670953b6ab15e3eb062b8a594d58936dd93ca382bbb3ebdbf076a1f83b"
     hash_2023_Downloads_9929 = "99296550ab836f29ab7b45f18f1a1cb17a102bb81cad83561f615f3a707887d7"
diff --git a/rules/techniques/code_eval.yara b/rules/techniques/code_eval.yara
index 23245d39..19d4b733 100644
--- a/rules/techniques/code_eval.yara
+++ b/rules/techniques/code_eval.yara
@@ -1,4 +1,4 @@
-rule eval : suspicious {
+rule eval : notable {
 	meta:
 		description = "evaluate code dynamically using eval()"
 	strings:
@@ -8,7 +8,7 @@ rule eval : suspicious {
 		$val and none of ($not*)
 }
 
-rule python_exec : suspicious {
+rule python_exec : notable {
 	meta:
 		description = "evaluate code dynamically using exec()"
 	strings:
@@ -18,9 +18,9 @@ rule python_exec : suspicious {
 		$val and not $empty
 }
 
-rule shell_eval : suspicious {
+rule shell_eval : notable {
 	meta:
-		description = "evaluate code dynamically using eval"	
+		description = "evaluate shell code dynamically using eval"	
 	strings:
 		$val = /eval \$\w{0,64}/ fullword
 		// https://github.com/spf13/cobra/blob/0fc86c2ffd0326b6f6ed5fa36803d26993655c08/fish_completions.go#L59