This detection rule utilizes machine learning to identify unusually high median command line entropy associated with privileged commands executed by users, which may indicate potential unauthorized access or privilege escalation activities. High entropy can suggest that the commands are intentionally obfuscated or complex, raising concerns about their legitimacy. The rule is applicable for Linux environments and requires the setup of the Privileged Access Detection (PAD) integration, leveraging Elastic's anomaly detection features. The rule is configured to analyze command line inputs over a 3-hour period, with data being aggregated every 15 minutes. A risk score of 21 indicates a low but noteworthy level of concern for security analysts. When triggered, the detection can help cybersecurity teams investigate and respond to possible malicious activities within privileged accounts, enhancing their capability to identify and mitigate threats before escalating into significant incidents. Additionally, the rule provides guidance on potential investigative steps, false positive analysis, and recommended response actions, making it a comprehensive tool for threat detection and response.