This detection rule identifies potential widespread malware infections across multiple hosts by analyzing alert data for triggered malware signatures. The rule targets alerts that correspond to specific event codes, such as "malicious_file," "memory_signature," and "shellcode_thread." By collecting and counting distinct host IDs associated with these alerts, the rule flags any cases where the same signature has been observed on three or more hosts. This helps security analysts prioritize threats that may indicate coordinated infections, thereby improving response and investigation efforts. The investigation guide provides comprehensive steps for analysts, including reviewing alert details, correlating with threat intelligence, examining affected hosts, and considering potential false positives that may arise from legitimate activities, such as software updates or security testing. The rule is particularly valuable in rapidly escalating situations where multiple systems may be compromised, enabling a timely and effective security response.