diff --git a/rules/macos/credential_access_compress_credentials_keychains.toml b/rules/macos/credential_access_credentials_keychains.toml
similarity index 65%
rename from rules/macos/credential_access_compress_credentials_keychains.toml
rename to rules/macos/credential_access_credentials_keychains.toml
index 413106d5c..99d0f2875 100644
--- a/rules/macos/credential_access_compress_credentials_keychains.toml
+++ b/rules/macos/credential_access_credentials_keychains.toml
@@ -1,31 +1,41 @@
 [metadata]
 creation_date = "2020/08/14"
 maturity = "production"
-updated_date = "2020/12/09"
+updated_date = "2021/01/04"
 
 [rule]
 author = ["Elastic"]
 description = """
 Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way
 for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords,
-websites, secure notes, certificates, and Kerberos.
+websites, secure notes and certificates.
 """
 from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
-language = "kuery"
+language = "eql"
 license = "Elastic License"
-name = "Compression of Keychain Credentials Directories"
-references = ["https://objective-see.com/blog/blog_0x25.html"]
+name = "Access to Keychain Credentials Directories"
+references = [
+    "https://objective-see.com/blog/blog_0x25.html",
+    "https://securelist.com/calisto-trojan-for-macos/86543/",
+]
 risk_score = 73
 rule_id = "96e90768-c3b7-4df6-b5d9-6237f8bc36a8"
 severity = "high"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"]
-type = "query"
+type = "eql"
 
 query = '''
-event.category:process and event.type:(start or process_started) and
-  process.name:(zip or tar or gzip or 7za or hdiutil) and
-  process.args:("/Library/Keychains/" or "/Network/Library/Keychains/" or "~/Library/Keychains/")
+process where event.type in ("start", "process_started") and
+  process.args :
+    (
+      "/Users/*/Library/Keychains/*",
+      "/Library/Keychains/*",
+      "/Network/Library/Keychains/*",
+      "System.keychain",
+      "login.keychain-db",
+      "login.keychain"
+    )
 '''
 
 
@@ -41,8 +51,8 @@ name = "Keychain"
 reference = "https://attack.mitre.org/techniques/T1555/001/"
 
 
+
 [rule.threat.tactic]
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
-