This detection rule monitors for unauthorized access attempts to the macOS keychain, which stores user credentials, passwords, and other sensitive data. Adversaries may use the 'dump-keychain' command followed by specific arguments to extract this data from the keychain, thereby gaining access to crucial information. The rule utilizes the EQL (Event Query Language) to look for process events on macOS where the system registers the initiation of commands indicating a keychain dump. A risk score of 73 suggests this behavior should be flagged as high risk. It requires an integration with Elastic Defend to collect and send the necessary event data, and includes provisions for identifying and responding to potential credential theft incidents effectively. The rule serves to alert security analysts of potentially malicious activities that may compromise user credentials, and provides structured guidelines for investigation, including potential legitimate uses that could be mistakenly flagged as malicious, thereby reducing false positives.