This detection rule analyzes CrowdStrike alerts specifically for unauthorized privilege escalation attempts by non-admin users. Such attempts represent a significant security risk, as they signify regular users' efforts to gain elevated permissions, potentially leading to data breaches or unauthorized access. Through the aggregation of CrowdStrike event logs, the rule filters for incidents categorized as privilege escalation but performed by users without administrative roles, indicated by the exclusion of typical admin identifiers in usernames. The rule aggregates these events, providing insights into counts and timings of such alerts to facilitate rapid response and mitigation. The implementation leverages CrowdStrike’s Falcon Streaming API to incorporate JSON logs into SIEM systems for ongoing monitoring and analysis.