From dc7d8960de7f3be71fb1c072218183579413e75c Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Tue, 3 Mar 2026 19:05:47 +0000
Subject: [PATCH] [Tuning] LSASS Process Access via Windows API (#5807)

* Update credential_access_lsass_openprocess_api.toml

* Update credential_access_lsass_openprocess_api.toml
---
 .../credential_access_lsass_openprocess_api.toml      | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/rules/windows/credential_access_lsass_openprocess_api.toml b/rules/windows/credential_access_lsass_openprocess_api.toml
index db07c2e3c..d6a78623f 100644
--- a/rules/windows/credential_access_lsass_openprocess_api.toml
+++ b/rules/windows/credential_access_lsass_openprocess_api.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/03/02"
 integration = ["endpoint", "m365_defender"]
 maturity = "production"
-updated_date = "2026/01/16"
+updated_date = "2026/03/02"
 
 [transform]
 [[transform.osquery]]
@@ -138,7 +138,10 @@ from logs-endpoint.events.api-*, logs-m365_defender.event-* metadata _id, _versi
 | stats Esql.access_count = count(*),
         Esql.count_distinct_hosts = count_distinct(host.id),
         Esql.host_id_values = VALUES(host.id),
+        Esql.host_name_values = VALUES(host.name),
+        Esql.user_name_values = VALUES(user.name),
         Esql.process_pid_values = VALUES(process.entity_id),
+        Esql.process_executable_values = VALUES(process.executable),
         Esql.data_stream_namespace.values = VALUES(data_stream.namespace),
         Esql.user_name_values = VALUES(user.name) by Esql.process_path
 
@@ -147,10 +150,12 @@ from logs-endpoint.events.api-*, logs-m365_defender.event-* metadata _id, _versi
 
 // Extract the single host ID and process into their corresponding ECS fields for alerts exclusion
 | eval host.id = mv_min(Esql.host_id_values),
-       process.executable = mv_min(Esql.process_path)
+       host.name = mv_min(Esql.host_name_values),
+       process.executable = mv_min(Esql.process_executable_values), 
+       user.name = mv_min(Esql.user_name_values)
 
 // Add the new field to the keep statement
-| keep Esql.*, host.id, process.executable
+| keep Esql.*, host.id, host.name, user.name, process.executable
 '''