This detection rule is designed to identify unauthorized use of the `whoami.exe` command on endpoints, as this executable is commonly leveraged by attackers for reconnaissance purposes. By monitoring process execution logs collected from Endpoint Detection and Response (EDR) agents, specifically Sysmon EventID 1 and Windows Event Log Security 4688, the rule detects instances where `whoami.exe` is executed without any command-line arguments. The primary indicator of potential malicious behavior is the execution of this command, which can reveal the current user context to the attacker, aiding further exploitation, such as privilege escalation or lateral movement. The rule aggregates data within the Splunk environment to provide alerts on these critical events and includes a search query tailored for effective monitoring.