This detection rule targets the potential misuse of system search utilities like grep and find, which can be employed by adversaries to search for sensitive files such as private SSH keys or passwords within containerized environments. Unauthorized access to these files poses a significant risk as it may lead to further compromise or facilitate a breakout from the container to the host system. The rule specifically captures process events on Linux where the command line involves searching for key patterns associated with credential storage. It uses EQL (Event Query Language) to identify instances where these commands are executed in a container context, thereby alerting security teams to potential credential access attempts that warrant investigation.