diff --git a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml
index ef5ba8cb3..6849ee989 100644
--- a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml
+++ b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml
@@ -16,7 +16,7 @@ detection:
         a2: '/bin/sh'
         a3: '*/crond'
     condition: selection
-level: low
+level: medium
 tags:
     - attack.defense_evasion
     - attack.t1036