This analytic detection rule is designed to identify suspicious attempts to locate SSH private keys on Linux systems, which may signify unauthorized efforts to access secure systems. SSH private keys are integral for authenticating secure connections, and unauthorized access to these keys poses significant risks, including potential system compromise. The rule utilizes the `linux_auditd` and `linux_auditd_normalized_execve_process` data to monitor command executions linked to finding SSH keys (e.g., `id_rsa`, `id_dsa`, `.key`, etc.). By tracking specific commands like `find` or `grep` that access these sensitive files, the detection mechanism produces alerts, allowing security teams to react swiftly to possible threats. The implementation requires the ingestion and normalization of Linux audit logs to ensure accuracy and consistency. False positives may occur if legitimate administrative activities trigger alerts—adjustments to filter macros are suggested to mitigate this. References include resources discussing persistence and privilege escalation techniques relevant to Linux environments.