This higher-order rule flags Elastic Defend alerts when the alerted process or its direct parent originates from a GenAI coding/assistant utility (examples include Cursor, Claude, Windsurf, Cody, Continue, Aider, OpenClaw, Moltbot, Clawdbot, Codeium, Tabnine, GitHub Copilot). It uses ESQL to detect GenAI activity by: (1) identifying a GenAI-spawn in the immediate parent (is_genai_spawn) via a lowercased parent name against a known list, and (2) detecting openclaw-related ancestry (is_openclaw_spawn) when the parent is a node process with command_line containing openclaw/moltbot/clawdbot. It then collects all GenAI-related ancestor IDs across the dataset and computes their intersection with the current process ancestry (Esql.genai_ancestor_ids). If a GenAI ancestor is found, and the event is an endpoint alert, the rule surfaces the alert for triage, excluding a handful of related subrules to reduce false positives. This rule is intended to prioritize potential prompt-injection, malicious AI-assisted actions, or supply-chain abuse involving GenAI tools, and carries a risk_score of 99 with severity set to critical. It references MITRE techniques related to supply-chain compromise (T1195, including subtechnique T1195.002). The rule relies on endpoint process data to aid investigators with context about GenAI tool usage, and serves to improve alert triage and response planning when AI-assist tools influence a spawned process.