This analytic rule detects the execution of the `whoami.exe` command with the `/priv` parameter on Windows systems, which is indicative of an attempt to enumerate user privileges. Such actions are often associated with reconnaissance efforts by adversaries aiming to identify permissions that could lead to later privilege escalation or exploitation. The detection leverages data collected from Sysmon, Windows Event Logs, and CrowdStrike EDR to monitor process executions and command-line arguments that match specified criteria. By analyzing relevant logs, the rule aggregates results across identified processes and presents insights into potentially malicious user behavior.