The detection rule titled 'Potential Secret Scanning via Gitleaks' is established to identify the execution of Gitleaks, a tool designed to search for high-entropy strings and sensitive information, like credentials, within code repositories. This detection aims to flag potentially malicious activity, where an attacker may utilize Gitleaks to harvest credentials from internal repositories or local workspaces. The rule triggers whenever Gitleaks processes are initiated, particularly targeting its execution from temporary directories which could indicate unauthorized use. The rule effectively covers a time frame of the last 9 months and encompasses a wide range of concerning data sources including security logs from CrowdStrike, Windows Defender, and various endpoint security agents. In the event of an alert, a detailed investigation should be initiated to assess the legitimacy of the Gitleaks usage by reviewing command lines, examining user sessions, and scrutinizing outputs for sensitive information. False positives are noted and should be manually validated. Moreover, if the execution is confirmed to be unauthorized, immediate response actions are outlined, including isolating the affected host, analyzing produced artifacts, and revoking any exposed secrets. The rule draws from MITRE ATT&CK techniques related to credential dumping and extracting credentials from password stores, making it a significant part of a layered security strategy aimed at preventing audits and breaches of sensitive information.