This detection rule monitors Windows registry modifications related to Lsa Protection, specifically targeting changes to the RunAsPPL setting. Lsa (Local Security Authority) Protection is an important security feature that prevents unauthorized processes from accessing sensitive data stored in Lsass (Local Security Authority Subsystem Service). Adversaries might disable this protection to gain access to sensitive credentials. The rule triggers when registry changes to RunAsPPL are detected that do not correspond with expected values. Security analysts are guided to investigate the context of these changes, including verifying legitimate administrative actions, examining process execution trees, and reviewing alert histories. False positives may arise from approved changes for third-party applications. If malicious activity is confirmed, a comprehensive incident response protocol must be followed, including isolating affected hosts, removing malware, and securing credentials.