This detection rule is designed to identify potential HTTP downgrade attacks within web traffic by monitoring the HTTP version used in connections across Nginx, Apache, and Apache Tomcat servers. HTTP downgrade attacks manifest when an adversary coerces a client-server connection to utilize an older and less secure version of the HTTP protocol, such as falling back from HTTP/2 to HTTP/1.1 or even to HTTP/1.0. Such downgrades could expose vulnerabilities specific to outdated versions, compromising the security of data transmitted during the session. The rule leverages a new_terms rule type to monitor for discrepancies in the HTTP version indicated in the logs, exploring traffic over the last 9 months. With a defined risk score of 21, it aims to provide a preliminary alert level which suggests a low severity classification for the threat detected. The associated tactics fall under the 'Defense Evasion' category, highlighting that the intent behind this tactic is to impair the effectiveness of security measures in place.