This detection rule flags passwordless sudo probing activity on Linux hosts by observing Linux process start events for the sudo binary with non-interactive arguments. Attackers often run sudo -n or --non-interactive to determine if a password is required, effectively probing for passwordless privilege escalation paths and enumerating permissible commands. The rule targets Linux process start events (event.type start or related process start actions) where the process name is sudo and the arguments include -n or --non-interactive, and applies to hosts with host.os.type == "linux". It maps to MITRE ATT&CK Discovery techniques (T1033 System Owner/User Discovery and T1082 System Information Discovery) under TA0007 Discovery. The rule is designed to ingest process-level data via multiple security integrations (Auditd Manager, CrowdStrike, SentinelOne, Endgame) through Elastic Defend/Fleet, with setup guidance detailing how to enable the Elastic Defend integration on Linux to feed events into Elastic Security. The intended outcome is to raise detections when an attacker tests for passwordless sudo privilege elevation, enabling defenders to correlate with broader discovery activity and privilege escalation attempts.