This rule detects the execution of `wmic.exe` with the `useraccount` command-line argument, indicative of local account discovery efforts by adversaries. The focus is on leveraging data from EDR agents that provide telemetry on process executions, particularly those that query local user accounts on Windows devices. Recognizing this activity is critical as it can signal reconnaissance phases leading to further attacks, including privilege escalation or lateral movements within a network. The rule uses several data sources, including Sysmon EventID 1 and Windows Event Log Security 4688, to capture relevant process execution logs, offering a robust method for identifying potentially malicious behaviors. Proper implementation requires the ingestion and normalization of logs containing command-line details through Splunk's EDR integrations and adherence to the Common Information Model (CIM) standards.