This detection rule identifies the execution of the 'sudo' or 'su' commands on Linux systems, as these commands are often used by attackers to elevate privileges and gain unauthorized access. The analytic leverages data collected from Endpoint Detection and Response (EDR) agents which provide telemetry related to process execution. The rule inspects both the executed command and its parent process to capture instances where privilege escalation may be taking place. By focusing on these specific commands, the detection aims to flag potential malicious activity that could lead to severe security breaches. The implementation requires proper ingestion of sysmon logs and mapping of data to the Endpoint data model in Splunk. Configuration must also address known false positives, particularly from legitimate administrative activities to ensure accuracy.