This detection rule is designed to identify potential system information discovery attempts on Unix-based systems, including Linux and macOS. Adversaries may leverage system information discovery techniques to gather critical data about the operating system and hardware, which may inform their follow-on actions during an attack, such as determining the feasibility of a full compromise. The rule specifies that several specific commands indicative of such discovery – including 'csrutil', 'systemsetup', 'env', 'hostname', 'uname', and 'system_profiler' – be executed in a short time frame (default: 5 minutes). The mechanism employs a SQL-like query within a Snowflake data platform, tracking processes initiated from common Unix shells (bash, zsh, etc.). If multiple commands from this recognition list are executed within a two-hour window, an alert is triggered to highlight potentially malicious activity.