This detection rule identifies potential credential dumping attempts targeting the Local Security Authority Subsystem Service (LSASS) in Windows environments. It focuses particularly on suspicious access patterns involving a specific call trace to 'seclogon.dll' and a given access rights value. The presence of 'seclogon.dll' suggests an adversary might be leveraging the Secondary Logon service to gain unauthorized access to LSASS, aiming to possibly extract sensitive credentials. The rule monitors the process creation events on Windows systems, looking for access attempts to LSASS by the 'svchost.exe' process with certain granted access values that typically indicate malicious behavior. Additionally, the setup includes requirements for configuring custom ingest pipelines for EQL rules to function correctly, particularly in earlier versions of the Elastic stack. Guidance for investigating alerts triggered by this rule includes specifics around evidence gathering and identifying anomalies in the execution of relevant processes.