This detection rule employs machine learning to identify anomalous behavior in user command execution, specifically targeting spikes in privileged command executions. It points to potentially unauthorized access, where a user could be engaging in privileged access activities that deviate from their normal behavior. The rule analyzes data from Linux logs to bring attention to any significant increases in the frequency of privileged commands executed by a user which might reflect an attempt to exploit their account or higher-level privileges. It operates with a configurable anomaly threshold set to 75, indicating a high likelihood of atypical activity. The rule is part of the Privileged Access Detection integration and is designed to work in conjunction with other data sources such as Elastic Defend and Sysmon Linux. It is essential for organizations to be aware of these anomalies as they can lead to severe security incidents if left unchecked. Investigative and response strategies are elaborated within the rule, emphasizing close analysis of user behavior, command activity patterns, and mechanisms to mitigate false positives related to legitimate administrative tasks.