This rule, authored by Elastic, detects potentially malicious attempts to access macOS Keychain data through command line executions. Keychain serves as macOS's secure storage for user credentials, and attackers could leverage command line tools to retrieve sensitive information like passwords stored for web browsers. The rule focuses on monitoring specific command patterns executed on macOS—particularly those invoking the 'security' command with arguments designed to find generic or internet passwords while filtering out legitimate password manager activities, especially those from the Keeper Password Manager. The detection involves querying indexed logs within an Elastic environment for any commands that meet the criteria of suspicious pattern. If such a command is found, the rule triggers an alert with a high severity level, facilitating prompt investigation and potential remediation actions to protect sensitive user data, thus safeguarding against credential theft attacks.