LoFP / legitimate backup, compliance scanners, or admin scripts that enumerate paths under /home or /var/run/secrets may match. tune by parent process, image, or automation identity.

host.os.type:linux and event.category:process and event.action:(exec or executed) and 
(
  process.name:(
    busybox or cat or head or tail or more or less or sed or awk or 
    find or grep or ls or whereis or cp or mv or ln or
    curl or wget or scp or rsync or tar or zip or gzip or
    base64 or xxd or od or dd or tee or strings or xargs or jq or yq or
    openssl or ssh or sftp or nc or ncat or netcat or socat or
    python* or perl* or ruby* or node or php* or lua* or .*
  ) or
  process.args:(
    cat or head or tail or more or less or sed or awk or 
    find or grep or cp or mv or curl or wget or base64 or 
    tar or scp or dd or strings or xargs
  ) or
  process.executable:(/tmp/* or /var/tmp/* or /dev/shm/* or /home/* or /run/user/*)
) and process.args:(
  "/var/run/secrets/kubernetes.io/serviceaccount/token" or
  "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" or
  "/var/run/secrets/eks.amazonaws.com/serviceaccount/token" or
  "/var/run/secrets/azure/tokens/azure-identity-token" or
  "/var/run/secrets/tokens/azure-identity-token" or
  "/var/lib/kubelet/kubeconfig" or
  "/etc/kubernetes/admin.conf" or
  "/etc/kubernetes/pki/ca.key" or
  "/etc/kubernetes/pki/apiserver-kubelet-client.key" or
  "/var/lib/kubelet/pki/kubelet-client-current.pem" or
  "/etc/rancher/k3s/k3s.yaml" or
  "/etc/shadow" or
  */.ssh/id_rsa or
  */root/.ssh/id_ed25519 or
  */.ssh/id_ecdsa or
  */.aws/credentials or
  */.aws/cli/cache/*.json or
  */.aws/sso/cache/*.json or
  */.azure/accessTokens.json or
  */.azure/azureProfile.json or
  */.azure/msal_token_cache.json or
  */.config/gcloud/application_default_credentials.json or
  */.config/gcloud/credentials.db or
  */.config/gcloud/access_tokens.db or
  */.config/gcloud/legacy_credentials or
  */.kube/config or
  */.docker/config.json
)