This rule detects credential manipulation activities through the Elastic Endgame security solution. It is designed to monitor and alert on token manipulation events, which adversaries often exploit to escalate privileges by modifying access tokens. The detection logic involves a Kuery-based query that looks for `alert` events generated by the Endgame module, specifically targeting token manipulation actions. This rule has a high risk score of 73 and is set to generate more alerts than the default to capture a wider range of potential threats. It requires careful investigation of any triggered alerts, including a review of associated user accounts and the context of detected actions to distinguish between legitimate activity and potential unauthorized access. Additionally, the rule aligns with the MITRE ATT&CK framework under the Privilege Escalation tactic, specifically referencing the Access Token Manipulation technique. A detailed guide for investigating incidents flagged by this rule is provided, highlighting steps for triaging alerts and responding effectively to detected threats.