Detects potential credential discovery activity on Linux and macOS endpoints by flagging recursive grep/egrep processes (grep -r/--recursive) that search for secrets, credentials, keys, tokens, or sensitive paths (e.g., .env, .git, .aws). The rule aggregates matches by host, user, and the parent process within one-minute windows and only surfaces when there are three or more distinct grep commands in the same bucket, reducing noise from incidental searches. It filters out cases where the parent shell is a snapshot-related process to avoid common legitimate tooling. When triggered, it maps to MITRE ATT&CK techniques T1552.001 (Credentials in Files) and T1083 (File and Directory Discovery) and provides a triage path (examining Esql.cmd_values, Esql.pcmd_values, and the launch context) to determine legitimacy. The rule targets Linux/macOS endpoints with high severity and is designed to surface coordinated credential-discovery activity rather than single, benign searches.