This detection rule identifies the execution of the PowerShell command `Get-LocalUser`, which is commonly used by systems administrators to query local user accounts on Windows systems. The analytic utilizes data collected through Endpoint Detection and Response (EDR) agents, specifically analyzing process names and command-line arguments. The significance of monitoring this command lies in its potential illegitimate usage by adversaries or Red Teams, who may conduct enumeration of local users as part of reconnaissance efforts to gain insights about user accounts, which can lead to further exploitation or privilege elevation within a network. The rule is designed to alert security teams to this specific activity, helping them to identify and respond to potential security threats in real time.