This detection rule aims to identify the execution of various host or user discovery commands on Linux systems, which can indicate reconnaissance activities by an adversary. Commands such as 'whoami', 'hostname', 'id', and others are common tools used to gather information about the system and its users. The collection of such data may inform the attacker's subsequent actions, making this detection critical for early threat identification. The detection mechanism utilizes the Linux audit daemon (auditd) to monitor for specific execve system calls associated with these discovery utilities. The rule is particularly sensitive to anticipated misuse during unauthorized access attempts where an adversary seeks to gather pertinent information about the environment before executing further intrusion techniques. False positives may occur due to legitimate administrative activities, hence the level of alert is set to low to reduce noise while maintaining awareness of potential threats.