The rule identifies hosts that have triggered multiple distinct Elastic Defend behavior rules, aiming to reduce false positives by focusing only on behavior rules that are triggered on a single host within a specific time frame. Given that hosts exhibiting two or more of these rare behavior rules are more likely to be compromised, this rule prioritizes the triage of such cases. The detection operates by analyzing logs for Elastic Defend behavior alerts, counting the number of distinct rules triggered per host while ignoring those triggered on multiple hosts. The rule utilizes INLINE STATS to maintain a low false-positive rate. After filtering out common alerts, it flags hosts with two or more unique rules as critical, requiring immediate attention and further investigation.