This detection rule focuses on identifying unauthorized access to sensitive security files on Linux systems through common utilities. Adversaries may utilize tools such as `cat`, `grep`, and `less` to read security-related files, potentially gathering system and configuration information. The rule leverages event logs from various data sources including Elastic Defend, CrowdStrike, SentinelOne, and Endgame to monitor processes that execute commands targeting sensitive files. The specificity of the rule lies in its ability to capture commands that attempt to access critical directories and files like those located in `/etc/security`, AWS credential files, and Azure profile settings, while filtering out benign processes linked to certain administrative tools. By highlighting these suspicious access patterns, the rule aids in revealing potential reconnaissance activities and helps security teams to proactively respond to threats.