The detection rule titled "Windows User Discovery Via Net" targets the execution of `net.exe` or `net1.exe` with command-line arguments involving `user` or `users` to enumerate local user accounts on Windows systems. This behavior typically signifies reconnaissance activities carried out by potential adversaries aimed at discovering user account information, serving as a preliminary step in broader Active Directory reconnaissance. The rule relies on telemetry collected from Endpoint Detection and Response (EDR) agents and correlates data sources like Sysmon EventID 1, Windows Event Log Security 4688, and CrowdStrike ProcessRollup2. By analyzing process names and command-line arguments, the detection seeks to identify processes that query user accounts while excluding commands associated with user account modifications (e.g., add or delete). If detected in a context indicating malicious intent, such activities may lead to further exploitation, such as privilege escalation or lateral movement within the network.