Detects Elastic Defend alerts where the alerted process has an ancestry that includes a package-manager install operation (npm/yarn/pnpm for Node.js; pip/Poetry/uv for Python; cargo/crates.io for Rust). This higher-order rule surfaces Defend alerts whose process tree contains such activity, enabling prioritization of potential supply-chain abuse, post-install scripts, or compromised packages. The rule identifies processes that performed install commands by inspecting common install patterns (e.g., npm install, pip install, python -m pip install, cargo install, setup.py install/develop, etc.) and collects their entity_ids. It then intersects the current alert’s ancestry with the set of known package-install parents to determine if the alert descended from a package installation. Alerts with a non-empty intersection are emitted for triage. This mapping aligns with MITRE ATT&CK technique T1195 (Supply Chain Compromise) and subtechnique T1195.002 (Compromise Software Supply Chain). Severity is critical with risk_score 99. Intended for endpoint detections and relies on Elastic Defend data. The query operates on endpoint.alerts and endpoint.process data, using MV_INTERSECTION and INLINE STATS to correlate installation activity with descendant alerts. False positives can occur from legitimate development/CI activity; tune by excluding known-safe package-install contexts. In incident response, remediation focuses on removing the suspect package, rotating exposed credentials, and blocking related IOCs.