[Tuning] LSASS Process Access via Windows API (#5807)

* Update credential_access_lsass_openprocess_api.toml

* Update credential_access_lsass_openprocess_api.toml

rules/windows/credential_access_lsass_openprocess_api.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/03/02"
 integration = ["endpoint", "m365_defender"]
 maturity = "production"
-updated_date = "2026/01/16"
+updated_date = "2026/03/02"
 
 [transform]
 [[transform.osquery]]
@@ -138,7 +138,10 @@ from logs-endpoint.events.api-*, logs-m365_defender.event-* metadata _id, _versi
 | stats Esql.access_count = count(*),
         Esql.count_distinct_hosts = count_distinct(host.id),
         Esql.host_id_values = VALUES(host.id),
+        Esql.host_name_values = VALUES(host.name),
+        Esql.user_name_values = VALUES(user.name),
         Esql.process_pid_values = VALUES(process.entity_id),
+        Esql.process_executable_values = VALUES(process.executable),
         Esql.data_stream_namespace.values = VALUES(data_stream.namespace),
         Esql.user_name_values = VALUES(user.name) by Esql.process_path
 
@@ -147,10 +150,12 @@ from logs-endpoint.events.api-*, logs-m365_defender.event-* metadata _id, _versi
 
 // Extract the single host ID and process into their corresponding ECS fields for alerts exclusion
 | eval host.id = mv_min(Esql.host_id_values),
-       process.executable = mv_min(Esql.process_path)
+       host.name = mv_min(Esql.host_name_values),
+       process.executable = mv_min(Esql.process_executable_values), 
+       user.name = mv_min(Esql.user_name_values)
 
 // Add the new field to the keep statement
-| keep Esql.*, host.id, process.executable
+| keep Esql.*, host.id, host.name, user.name, process.executable
 '''