fix: FPs with LSASS access rule

rules/windows/process_access/win_susp_proc_access_lsass.yml

@@ -49,7 +49,25 @@ detection:
             - 'BA'
             - 'DA'
             - 'FA'
-    condition: selection
+    filter1:
+        SourceImage:
+            - 'C:\WINDOWS\system32\taskmgr.exe'
+    filter2:
+        SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
+        SourceImage|endswith: '\MsMpEng.exe'
+    filter3:
+        SourceImage|startswith: 'C:\Program Files\WindowsApps\'
+        SourceImage|endswith: '\GamingServices.exe'
+        GrantedAccess: '0x1410'
+    filter4:
+        SourceImage|endswith: 
+            - '\PROCEXP64.EXE'
+            - '\PROCEXP.EXE'
+        GrantedAccess: '0x1410'
+    filter5:
+        SourceImage|startswith: 'C:\ProgramData\VMware\VMware Tools\'
+        SourceImage|endswith: '\vmtoolsd.exe'
+    condition: selection and not filter1 and not filter2 and not filter3 and not filter4 and not filter5
 fields:
     - User
     - SourceImage