The rule 'Suspicious Lsass Process Access' identifies potential credential dumping attempts targeting the Local Security Authority Subsystem Service (LSASS) memory on Windows systems. LSASS is critical for enforcing security policies and managing user logins. Adversaries often seek to access LSASS to extract credentials for unauthorized access. This detection utilizes EQL (Event Query Language) to filter through events recorded by Winlogbeat and Sysmon operational logs. It triggers on attempts that deviate from typical process behaviors, excluding known legitimate processes and access patterns. The rule leverages various Windows event data fields, including 'GrantedAccess' and 'TargetImage', to highlight suspicious activity while deliberately omitting well-known legitimate tools and processes that could trigger false positives. Investigation guidelines are provided to help security analysts validate alerts effectively.