custom rule is not triggering an alert

[sandraimmaculate]

Hi, i add the custom rule in administration>configuration>idstool>rules>local.rules my custom rule is:
alert tcp any any -> any any (msg:"Alert - Unauthorized sudo command execution"; content:"sudo"; nocase; classtype:attempted-admin; sid:5000000; rev:1;)

it has to trigger an alert when someone execute sudo command but I'm not getting any alert in alert dashboard regarding this.

but I'm also not getting any error while updating so-rule
and i also added my local.rules file in suricata.yaml file
Any suggestion

[InfosecGoon]

Unfortunately, it looks like you're trying to add a Suricata rule, which would detect the text "sudo" in a network stream. Unless you're accessing a server via telnet or some other plaintext protocol, that's not going to trigger because the traffic you're seeing from SSH is going to be encrypted.

If you want to alert on sudo activity on an endpoint, the best bet would be to collect the logs from that endpoint using Elastic Agent and write a play in Playbook to alert on the presence of sudo in a log file.