This detection rule is designed to monitor unauthorized privilege escalation attempts on Linux systems, specifically via Python scripts that exploit 'setuid' or 'setgid' attributes. The rule captures sequences where a Python command that invokes elevated privileges is followed by a change of user or group ID to the root user. 'Setuid' allows users to execute files with the permissions of the file owner, and 'setgid' does the same for the group, making these features attractive targets for attackers aiming to escalate privileges. The detection logic employs EQL (Event Query Language) to analyze process execution and UID/GID changes, issuing alerts when it detects this sequence. A risk score of 47 reflects a medium level of risk associated with such activities. Detailed investigation guidance is included to help security teams analyze potential alerts, determine the legitimacy of the identified activities, and respond appropriately to any unauthorized escalations observed.