This detection rule employs machine learning to identify unusual process executions involving privileged commands by users. It is designed to catch potential unauthorized access attempts where a legitimate user may be attempting to escalate their privileges illicitly. The rule analyzes data over a specified timeframe and flags processes that deviate significantly from the norm, based on an anomaly threshold of 75. It requires the Privileged Access Detection integration alongside Linux logs collected from integrations like Elastic Defend and Sysmon Linux. The setup involves ensuring that the Fleet Server is configured and the relevant integrations are installed correctly. When triggered, the rule allows for investigation into the user’s activity to discern legitimate usage or potential threats, assisting security teams in preventing privilege escalation attacks. Additionally, it provides guidance on how to interpret, investigate, and remediate incidents arising from triggered alerts, emphasizing proactive monitoring and access control adjustments.