This detection rule identifies the use of PowerShell commands that seek to retrieve the current logged-in user's identity. Specifically, it monitors for script block executions containing specific constructs like `[System.Environment]::UserName`, `$env:UserName`, or `[System.Security.Principal.WindowsIdentity]::GetCurrent()`. Such commands can be indicative of enumeration tactics often employed by attackers seeking to gather information about the system's user context. The rule is applicable in environments where Script Block Logging is enabled, as required to capture these specific PowerShell scripts effectively. This rule aims to alert administrators to potentially suspicious user location queries that could precede more malicious activities.