Summary
Migrate sudo handling to the normalization/signal layer so detectors consume one consistent input model instead of mixing raw events and normalized signals.
Scope
- introduce a normalized signal path for
sudo activity
- keep detector thresholds and semantics clear and configurable
- avoid changing unrelated parser or reporting behavior unless required for the signal model
Acceptance Criteria
sudo detections no longer rely on raw parser event types directly- detector input semantics are unified around the signal layer
- tests cover default
sudo signal behavior and any config-driven behavior changes
- changes stay minimal and keep the code easy to read
Summary
Migrate
sudohandling to the normalization/signal layer so detectors consume one consistent input model instead of mixing raw events and normalized signals.Scope
sudoactivityAcceptance Criteria
sudodetections no longer rely on raw parser event types directlysudosignal behavior and any config-driven behavior changes