This analytic rule detects the execution of the 'whoami' command with certain flags that are indicative of an attacker checking for elevated privileges on a Windows system. The detection utilizes telemetry from Endpoint Detection and Response (EDR) agents, including Sysmon EventID 1 and Windows Event Log Security 4688, among others. The 'whoami' command is a common reconnaissance tool used by threat actors, particularly groups like FIN7, to assess their current privilege level within a compromised environment. By detecting this behavior, security teams can respond quickly to potential security threats that may lead to privilege escalation or persistence tactics used by intruders. The corresponding search query aggregates relevant data to identify suspicious command-line activity pertaining to the whoami command and related processes. System administrators are advised to implement this detection rule alongside security telemetry from their EDR solutions to bolster endpoint security.