This detection rule targets the execution anomalies of the whoami.exe process within Windows environments. The primary intent is to identify suspicious instances of whoami.exe that are launched by atypical parent processes, thereby maximizing threat detection potential. Specifically, the rule checks for the execution of whoami.exe and evaluates the parent processes under which this executable is run. The detection criteria involves monitoring for processes ending with \whoami.exe or having the OriginalFileName as whoami.exe. It further narrows down the search by applying filters that exclude known legitimate parent processes such as cmd.exe, PowerShell, and the Microsoft Monitoring Agent. Additionally, it discards records where the ParentImage is null or empty, ensuring relevance in the captured events. In summary, this rule aims to flag irregular uses of whoami.exe that could indicate reconnaissance or exploitation activities, while also accounting for known benign scenarios to mitigate false positives.