This analytic detection rule identifies processes on macOS systems that engage in tapping keyboard events, a technique often utilized by Remote Access Trojans (RATs) to log users' keystrokes. The rule leverages data from the osquery results within the Alerts data model, specifically targeting certain processes and command lines associated with keyboard events. By examining these inputs, the detection helps to uncover potential malicious activity that may threaten the confidentiality and integrity of user data, including sensitive information like passwords. Given the significance of such activities, this rule serves as a crucial measure in securing macOS environments against unauthorized access. Implementing this rule requires the ingestion of osquery data through configured agents, along with necessary exclusions for known benign processes like Siri and Zoom that might trigger false positives.