Lacework created an event after a non-root user launched 'ps' (Point-in-time Snapshot). The event, "New Privilege Escalation" was attributed to root user even without explicitly using sudo to escalate the user privileges.
NOTE: username and ip address were redacted.
ubuntu@ip-172-31-29-151:~$ ls -ltr /bin/ps
-rwxr-xr-x 1 root root 133432 Aug 9 2019 /bin/ps
Looking at 'ps' file permissions, you can see that the executable bit is set for the file owner. This means that the process spawn from this file will obtain the permission from the owner and not from parent process.
As you can see from the output above, the binary ‘ps’ is owned by root but it has the ‘setUID’ bit set. This means it allows anyone to use it without sudo.
During the execution, the non-root user has the file owner privileges (root in this case) and so root user takes on the attribution of this operation.