This detection rule analyzes the use of the 'whoami' command executed via the Linux Audit daemon (Auditd). This command is generally leveraged by attackers to ascertain the user identity and privileges on a compromised system during reconnaissance activities. The rule triggers alerts for atypical or unauthorized instances of this command, which can indicate probing behavior prior to privilege escalation or other malicious actions. To operate effectively, the rule requires input from Linux Auditd logs, specifically monitoring syscall events for the execution of 'whoami'. It helps enhance visibility over Linux endpoints and allows security teams to preemptively respond to possible security threats stemming from user account reconnaissance.