This detection rule identifies the addition of 'NOPASSWD' entries to the /etc/sudoers file on Linux systems, leveraging Endpoint Detection and Response (EDR) telemetry. The rule triggers when command lines include 'NOPASSWD:', indicating that users can execute commands with escalated privileges without entering a password. This is critically significant as it poses a risk for privilege escalation, unauthorized access, and the potential compromise of sensitive data and system integrity. The analytic uses Sysmon for Linux logs to monitor and correlate such events across endpoints, providing an effective means to detect this potentially malicious configuration change.