This detection rule monitors the execution of the "sudo" and "su" commands on Linux systems using logs collected from Auditd. The basis of the detection is that these commands are frequently leveraged by attackers for privilege escalation, allowing them to perform unauthorized actions with elevated permissions. The rule captures relevant information from the process names and their parent processes to identify potential security incidents. The implementation of this detection requires proper configuration of Auditd to ensure all necessary execution logs are captured and processed through the Splunk platform, specifically through the Unix and Linux Add-on. By tracking and analyzing these command executions, security teams can quickly identify unauthorized access attempts and respond to potential security breaches.