LoFP / some automation or break-glass tooling may invoke sudo or su from scripts under /home; validate parent identity and change tickets before escalating.

host.os.type:linux and event.category:process and event.action:"exec" and
process.name:("su" or "sudo" or "pkexec" or "passwd" or "chsh" or "newgrp") and
process.user.id:"0" and not process.real_user.id:"0" and
not process.parent.user.id:"0" and
(
  (process.name:("sudo" or "pkexec") and process.args_count:1) or
  (process.name:("su" or "passwd" or "chsh" or "newgrp") and process.args_count <= 2)
) and
(
  process.parent.name:(python* or perl* or ruby* or node or bun or java or php* or lua* or .*) or
  process.parent.executable:(/tmp/* or /var/tmp/* or /dev/shm/* or /home/* or /run/user/*) or
  (process.parent.name:(bash or sh or zsh or dash or fish or ksh) and 
   (process.parent.command_line: (-bash or -sh or -zsh or -dash or -fish or -ksh) or 
   (process.parent.args:("-c" or "--command" or "-ic" or "-ci") and process.parent.args_count <= 4)))
)