This detection rule identifies instances where sensitive files are accessed, followed by the immediate creation of compressed files in potentially suspicious locations on macOS systems. The rule aims to detect behavior indicative of data staging, which is a common precursor to data exfiltration incidents. Attackers often target sensitive files like SSH keys, AWS credentials, and login keychains, compressing them to aggregate data for outbound transfer. The rule leverages EQL sequences to track events within a 30-second span, capturing file access events (open actions) followed by file creation events (modification actions) of specific compressed file types (e.g., zip, gzip) typically found in target directories. The operational guidance includes potential investigation steps, false positive considerations, and response actions to mitigate risks associated with detected activities, emphasizing immediate isolation of affected systems, credential rotation, and thorough forensic analysis to uncover attack vectors. Additionally, it ties into various MITRE ATT&CK tactics and techniques, primarily focusing on Collection and Exfiltration phases to provide context for the detected behavior.