This detection rule identifies the execution of the `whoami` command on a Linux host. The `whoami` command is commonly used to determine the current user identity, making it a potential indicator of privilege testing or enumeration by unauthorized actors. This behavior is often associated with various security tools and mechanisms aimed at both legitimate and malicious activities, particularly in attempts to establish persistence or gather information about the target environment. The rule targets events categorized as process starts, filtering specifically for the invocation of `whoami`. Given the potential for false positives, especially from legitimate security testing tools and automation scripts that may execute this command, the rule is deemed to have a low-risk score. The implementation is requisite for monitoring user discovery tactics in line with the MITRE ATT&CK framework under the System Owner/User Discovery technique (T1033) within the broader Discovery tactic (TA0007).