-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It would help if you could post the event as Sentinel sees it, for
example tell us in which field(s) Sentinel places the various strings
(like 'sudo', '/bin/sudo', 'AUDIT_ROOT_EXECVE', etc.). With that,
creating a correlation rule should be a breeze.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP0Ei1AAoJEF+XTK08PnB5ikEP/0+4PgyFEKD2tRU3/0hDlWYP
lFaORxjP2iaZisVSTiaiycQE4/ttjtXqeg189NI6dGh4i+c35OtuehFxZ5Q5nSlu
1MAYuGRHm8Wlzdkaf6rKUarDNfXU+q++l82AePiI2zVPs/5rVtY8XsQUNi39kZ96
U2xqGTCmlyxnmPCE/lmBYyVUKiBMohV6sH6p2QyIoidUKqtz5aauoljAM0/gCOZ7
YSmpfG6BO/T8V4H06Uu9yE1k+UJj2t8DXeQ2+fjvvBt5X50HM8+ALpYXjp36 Sefg
UPjPFFlQxtRjcifY4p+v1uwxcgBWhmO6WHbT08piV25blgDf4h 7DR0pvBCGbIqiG
+doNNQjrBO/dQbznuAVZZH9odtsDys2Aviyx48eaBU7Vs0Kq7+WIikOT3DlX6 RqI
gbQLyaSR4RHWv83XotOas59i4g5B4zaL5aNKxwEgJTfaXyrjOy qvGt/wooy41vSd
GeDRhV51KHAQDxntmRtK+ig1+a6WT0XIYdlm4gTigVvKCVdZIW zyg6JX4qj2TxKf
BMd2eNX9koTaEyiUM8N1ogPuenLQpFc1Sm6FeAtSr2UAr1HovU dcm9tq2uFcSEbo
QK1Qnl+KAZRscUgMk2giTA5QByvTbR1B9paGy8AkwGSKoXm9VX j5dWZULIWF5vWs
rPbFjcOtO7htO4r8tMEy
=6v3T
-----END PGP SIGNATURE-----