This detection rule identifies the execution of the 'doas' tool on Linux hosts, which enables standard users to perform tasks requiring root privileges, similar to 'sudo'. The rule uses data from Endpoint Detection and Response (EDR) agents to monitor specific process names and command-line executions related to 'doas'. This is noteworthy because 'doas' can be exploited by attackers to gain elevated privileges on compromised systems. If left unchecked, this could allow attackers unauthorized administrative access to the system, posing a high risk of system compromise and data breaches. The detection queries the Endpoint data model in Splunk, tracking occurrences of 'doas' command executions while providing a method to filter out benign administrative uses.