diff --git a/rules/macos/credential_access_systemkey_dumping.toml b/rules/macos/credential_access_systemkey_dumping.toml
index 7dc0ab8e1..9e54cf24e 100644
--- a/rules/macos/credential_access_systemkey_dumping.toml
+++ b/rules/macos/credential_access_systemkey_dumping.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/01/07"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/03/27"
 
 [rule]
 author = ["Elastic"]
@@ -25,7 +25,7 @@ type = "query"
 
 query = '''
 event.category:process and event.type:(start or process_started) and
-  process.args:"/private/var/db/SystemKey"
+  process.args:("/private/var/db/SystemKey" or "/var/db/SystemKey")
 '''
 
 
@@ -46,4 +46,3 @@ reference = "https://attack.mitre.org/techniques/T1555/001/"
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
-