Detects suspicious access to macOS Keychain files and APIs. Observes processes invoking the 'security' utility or accessing Keychain databases directly, correlates these with abnormal parent process lineage or unexpected user context. Monitors attempts to dump, unlock, or read credential storage beyond normal application workflows.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | execution of security or osascript |
| OS API Execution (DC0021) | macos:unifiedlog | access or unlock attempt to keychain database |
| File Access (DC0055) | macos:unifiedlog | read access to ~/Library/Keychains/login.keychain-db |
| Field | Description |
|---|---|
| AllowedApplications | Whitelist of applications (e.g., Safari, Mail) normally permitted to access Keychain |
| AlertThreshold | Number of failed keychain unlock attempts before raising an alert |
| ParentProcessContext | Legitimate parent-child process relationships for security tool invocations |