This detection rule pertains to the monitoring of credential dumping activities within an environment protected by Elastic Endgame. Credential dumping is a technique employed by attackers to gather sensitive authentication credentials such as passwords from operating systems and software. The rule triggers when specific suspicious behaviors indicative of credential theft are detected, analyzing events produced by the Elastic Endgame module. The KQL query checks for alert events communicated by the Endgame module, specifically looking for events categorized under 'cred_theft_event' and similar indicators. A high-risk score (73) signifies the critical nature of this threat. Proper configuration of the maximum alerts per run is crucial to ensure that the rule captures as many incidents as possible without being limited by overarching Kibana settings. Investigation procedures include reviewing alert details, assessing specific event actions, correlating with other security incidents, and utilizing MITRE ATT&CK references for context. Response measures recommend isolating affected systems and changing compromised credentials to mitigate the risks associated with detected threats.