From c744a6c6a1746ca1aed8f0786a1d6d5c90e6a9a3 Mon Sep 17 00:00:00 2001
From: litemars <44295342+litemars@users.noreply.github.com>
Date: Tue, 5 May 2026 12:48:42 +0200
Subject: [PATCH] [Rule Tuning] Credential access collection sensitive files
 (#5952)

* credential_access_collection_sensitive_files fine-tuning

* Update credential_access_collection_sensitive_files.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
---
 .../credential_access_collection_sensitive_files.toml     | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/rules/linux/credential_access_collection_sensitive_files.toml b/rules/linux/credential_access_collection_sensitive_files.toml
index 537425e98..0884b918b 100644
--- a/rules/linux/credential_access_collection_sensitive_files.toml
+++ b/rules/linux/credential_access_collection_sensitive_files.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/12/22"
 integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/05/04"
 
 [rule]
 author = ["Elastic"]
@@ -107,8 +107,14 @@ process.args:
       /root/.aws/config or
       /home/*/.aws/credentials or
       /home/*/.aws/config or
+      /home/*/.config/gcloud/credentials.db or
+      /home/*/.config/gcloud/access_tokens.db or
+      /home/*/.azure/credentials or
+      /root/.azure/credentials or
       /root/.docker/config.json or
       /home/*/.docker/config.json or
+      /root/.kube/config or
+      /home/*/.kube/config or
       /etc/group or
       /etc/passwd or
       /etc/shadow or