This detection rule, authored by Elastic, identifies commands associated with system user or owner discovery executed by unusual user contexts on Linux systems. Such anomalous activities might indicate either legitimate troubleshooting actions or potentially compromised accounts. The rule utilizes machine learning to detect these outliers, with a suggested operational threshold of 75% anomaly detection. The rule's focus on detecting rare user behaviors aims to preemptively flag potential unauthorized reconnaissance, which may lead to credential dumping or privilege escalation activities. False positives could occur from routine administrative tasks or troubleshooting cases, necessitating careful monitoring and investigation of alerts generated under such contexts. The rule integrates seamlessly with systems running the Elastic Defend and Auditd Manager tools, and requires setup of machine learning jobs to initiate anomaly detection. Field investigations involve reviewing user activity logs, command executions, and correlating alerts with broader security events, ensuring proactive identification and response to potential threats while managing legitimate administrative actions.