The rule detects opened-file reads of sensitive identity material on Linux using the Auditd Manager integration. It watches the logs-auditd_manager.auditd data stream for events where event.category is file and event.action is opened-file, restricted to paths that hold root and cluster identity data (Kubernetes service tokens, kubeconfig, PKI material, root credentials, and root cloud/Docker config). Detection is conditioned on the reading process resembling common copy or scripting utilities, or binaries executing from temp/run staging areas. Specifically, it flags when process.name matches a curated set of copy/scripting tools (cp, mv, cat, head, tail, base64, xxd, od, curl, wget, tar, zip, gzip, scp, rsync, various interpreters) or when process.executable resides in /tmp, /var/tmp, /dev/shm, or /run; and also covers shells (sh, bash, zsh, dash, fish, ksh) with arguments -c or -i. User home paths are excluded to keep watches explicit and aligned with auditd. The rule maps to MITRE ATT&CK credential-access techniques (T1552 and subtechniques T1552.001 Credentials In Files and T1552.007 Container API). It carries a high-level risk score and is designed for deployment via Elastic Agent Auditd Manager with published audit rules. Setup guidance includes enabling Auditd Manager in Fleet, adding the audit rules to monitor the listed identity paths, reloading rules, and validating events by generating a benign test open. The rule integrates with a comprehensive triage workflow: identify workload context (Kubernetes node, jump host, developer machine), map token paths to container/host context, inspect related pod/security data, and capture file and process hashes for evidence. Remediation steps cover isolating the host, rotating keys/tokens, invalidating cloud sessions, and reviewing RBAC/file permissions. Potential false positives include legitimate kubelet/control-plane activity touching admin.conf or PKI assets and CI/test reads from /tmp; those can be mitigated by narrowing scope with per-path, per-user, or per-executable allowlists. The rule is intended to aid rapid detection of credential exposure through audit events and supports proactive credential protection in Linux-based, identity-centric environments.