This rule identifies potential user discovery attempts carried out by threat actors using PowerShell commands that reference environment variables, specifically targeting the current user's name. User discovery is a critical step for attackers as it allows them to gather crucial information about logged-in users, which can facilitate lateral movement and privilege escalation within the network. The detection relies on monitoring how PowerShell is utilized on endpoints, specifically with commands like `$env:UserName` or `[System.Environment]::UserName` that retrieve user information. The rule emphasizes the importance of PowerShell script block logging for enhanced detection accuracy, as it allows for capturing detailed execution context. If logs from other sources are to be relied upon, the PowerShell command must be executed in a way that generates a new process (e.g., using `powershell -command`). By correlating endpoint data and EDR logs, this detection can surface potential threats by flagging unusual PowerShell activity associated with user query patterns.