Detects and correlates process telemetry from shells and major cloud CLI tools (gcloud, az, gh, aws, kubectl, doctl, oci) to identify command lines that print or expose credentials or tokens across multiple cloud providers. The rule categorizes cloud targets from the CLI invocations (GCP, Azure, AWS, GitHub, Kubernetes, DigitalOcean, OCI) and flags hosts where two or more distinct cloud targets appear within a five-minute window. It aggregates by host, user, and time bucket, capturing the exact command lines and parent executables for investigation. If multiple cloud targets are observed in a short span, the rule raises a high-severity alert aligned with credential-access techniques (MITRE T1528, T1552). The triage guidance suggests inspecting the exact command lines, determining whether activity was interactive or automated, and correlating with authentication and cloud logs; recommended responses include session isolation and credential rotation. Remediation guidance covers provider-specific revocation and rotation workflows (GCP, Azure, GitHub, etc.) and emphasizes revocation beyond local logout to invalidate tokens that may have already been exposed. The rule is designed to detect multi-cloud credential-access attempts while acknowledging benign baseline activity from automation or CI pipelines to minimize false positives.