[Rule Tuning] Credential access collection sensitive files (#5952)

* credential_access_collection_sensitive_files fine-tuning * Update credential_access_collection_sensitive_files.toml --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
2026-05-05 12:48:42 +02:00
parent e4746c3a83
commit c744a6c6a1
1 changed files with 7 additions and 1 deletions
@@ -2,7 +2,7 @@
 creation_date = "2020/12/22"
 integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/05/04"

 [rule]
 author = ["Elastic"]
@@ -107,8 +107,14 @@ process.args:
      /root/.aws/config or
      /home/*/.aws/credentials or
      /home/*/.aws/config or
+      /home/*/.config/gcloud/credentials.db or
+      /home/*/.config/gcloud/access_tokens.db or
+      /home/*/.azure/credentials or
+      /root/.azure/credentials or
      /root/.docker/config.json or
      /home/*/.docker/config.json or
+      /root/.kube/config or
+      /home/*/.kube/config or
      /etc/group or
      /etc/passwd or
      /etc/shadow or