diff --git a/rules/macos/credential_access_credentials_keychains.toml b/rules/macos/credential_access_credentials_keychains.toml
index 5592924d5..e07a8860d 100644
--- a/rules/macos/credential_access_credentials_keychains.toml
+++ b/rules/macos/credential_access_credentials_keychains.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/14"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/08"
 
 [rule]
 author = ["Elastic"]
@@ -36,7 +36,18 @@ process where event.type in ("start", "process_started") and
       "System.keychain",
       "login.keychain-db",
       "login.keychain"
-    )
+    ) and
+    not process.args : ("find-certificate",
+                      "add-trusted-cert",
+                      "set-keychain-settings",
+                      "delete-certificate",
+                      "/Users/*/Library/Keychains/openvpn.keychain-db",
+                      "show-keychain-info",
+                      "lock-keychain",
+                      "set-key-partition-list",
+                      "import",
+                      "find-identity") and
+    not process.parent.executable : "/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect"
 '''
 
 
@@ -57,4 +68,3 @@ reference = "https://attack.mitre.org/techniques/T1555/001/"
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
-