This rule detects instances of PowerShell commands targeting the Local Security Authority Subsystem Service (LSASS) process via the 'Get-Process' command. The LSASS process is critical in handling security policy and authentication on Windows systems. Any command that queries this process can indicate potential malicious activity, as attackers may seek to extract credentials or perform other nefarious actions. The rule requires that Script Block Logging is enabled in the Windows environment to capture and evaluate the relevant PowerShell command usage. This detection is particularly focused on the ScriptBlockText containing 'Get-Process lsass'. Expected false positives may arise from legitimate administrative actions, particularly where certificate exports are involved, necessitating careful analysis of the context surrounding such activities.