The rule named "Sensitive Files Compression" is designed to detect the compression of sensitive files on Linux endpoints, which could indicate malicious actions such as credential exfiltration. The rule leverages data from Auditbeat, Elastic Defend, and related integrations to monitor process executions that involve common compression utilities (e.g., zip, tar, gzip) targeting known sensitive file paths associated with user credentials and system configurations. It focuses on monitoring specific events: processes starting with the aforementioned utilities, examining their command-line arguments for known sensitive targets such as SSH keys and AWS credentials. Given a medium severity and risk score of 47, this detection rule serves to alert security teams to potential data collection efforts by adversaries. The investigation process includes reviewing process details, timeline correlation with user activities, and analyzing outbound network connections, while also accounting for false positives that might arise from legitimate system operations such as backups and administrative tasks.