This rule monitors activities related to the Local Security Authority Subsystem Service (lsass.exe) to detect potentially malicious behaviors such as process injection or hollowing. The primary focus is on identifying instances where lsass.exe unexpectedly spawns child processes, which is not typical behavior apart from specific scenarios like the Encrypting File System (EFS) functioning. This heightened scrutiny allows for the detection of masquerading attempts or unauthorized process execution, as lsass.exe is often a target in various attack vectors given its critical role in the Windows operating system's security mechanisms. The detection logic, implemented in Splunk, utilizes Sysmon event logging, specifically looking for Event Code 1 which indicates process creation. The query employs regex to filter for lsass.exe children and aggregates outputs by time and host, making it easier for analysts to review suspicious instances.