This detection rule is designed to identify processes that access the Local Security Authority Subsystem Service (Lsass.exe) on Windows systems, which may indicate malicious activities like credential dumping. The rule utilizes Sysmon's Event Code 10 to track attempts to connect to Lsass.exe, analyzing crucial fields such as TargetImage, GrantedAccess, SourceImage, and the identifiers for the source processes and users involved. Unauthorized access to Lsass.exe represents a significant security threat, as successful attacks can lead to the theft of sensitive credentials, permitting privilege escalation and deeper infiltration of IT environments. This analytic is pivotal for incident detection and response teams aiming to safeguard against credential theft and maintain a secure operational posture.