This rule detects suspicious attempts to discover virtual disk files and directories on Linux systems using auditd logs. Such activities may indicate reconnaissance by an attacker who aims to find sensitive data contained in virtualized storage environments. The rule monitors for commands typically employed in file searches, specifically looking for occurrences of `find` or `grep` commands targeting virtual disk file extensions (*.vhd, *.vhdx, *.vmdk). If an anomaly in file searching behavior is detected, security teams can take prompt actions, as these attempts may signal preparatory work for data exfiltration or further intrusions. To implement this detection, it is crucial to collect and process auditd events through the Splunk Add-on for Unix and Linux, ensuring correct parsing and normalization of the data for effective monitoring.