[Rule Tuning] Access to Keychain Credentials Directories (#999)

* [Rule Tuning] Access to Keychain Credentials Directories

* Update rules/macos/credential_access_credentials_keychains.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* update_date

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

rules/macos/credential_access_credentials_keychains.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/14"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/08"
 
 [rule]
 author = ["Elastic"]
@@ -36,7 +36,18 @@ process where event.type in ("start", "process_started") and
       "System.keychain",
       "login.keychain-db",
       "login.keychain"
-    )
+    ) and
+    not process.args : ("find-certificate",
+                      "add-trusted-cert",
+                      "set-keychain-settings",
+                      "delete-certificate",
+                      "/Users/*/Library/Keychains/openvpn.keychain-db",
+                      "show-keychain-info",
+                      "lock-keychain",
+                      "set-key-partition-list",
+                      "import",
+                      "find-identity") and
+    not process.parent.executable : "/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect"
 '''
 
 
@@ -57,4 +68,3 @@ reference = "https://attack.mitre.org/techniques/T1555/001/"
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
-