This detection rule identifies the activity of Generative AI (GenAI) tools accessing sensitive files containing credentials, SSH keys, or configurations on various operating systems. GenAI agents can potentially be used by attackers to locate and exfiltrate sensitive information systematically. The rule tracks file access involving specific GenAI processes that are known to interact with sensitive data. It flags actions like opening, creating, or modifying files with a successful outcome, especially files linked to credentials or system configurations (.aws/credentials, .ssh/id_*, .bashrc, .zshrc). Important to note, this rule emphasizes that while GenAI tools often interact with project files legitimately, accessing credential stores is unusual and requires deeper investigation into the user's actions, tool legitimacy, and any associated suspicious activity around the same timeframe. False positives can arise from automated tools that use GenAI for security scanning or development workflows.