The detection rule titled "System User Discovery With Query" identifies the execution of the `query.exe` utility with specific command-line arguments related to discovering logged-in users. This analytic is vital as attackers often employ `query.exe` to gain insights into Active Directory environments and collect information about active users on compromised endpoints. The implementation relies on telemetry provided by Endpoint Detection and Response (EDR) agents, which capture information from system processes and their command-line executions. The rule is anchored on data streams like Sysmon EventID 1 and Windows Event Log Security 4688, and aggregates process data in Splunk. If this behavior is flagged as malicious, it signals potential lateral movement and privilege escalation attempts by the attacker. The approach includes filtering mechanisms to refine the alerts generated, ensuring that only suspicious activities trigger notifications.