Update rules/windows/credential_access_lsass_openprocess_api.toml

Co-authored-by: Ruben Groenewoud <[email protected]>

Author: Samirbous

rules/windows/credential_access_lsass_openprocess_api.toml

@@ -140,6 +140,7 @@ from logs-endpoint.events.api-*, logs-m365_defender.event-* metadata _id, _versi
         Esql.count_distinct_hosts = count_distinct(host.id),
         Esql.host_id_values = VALUES(host.id),
         Esql.process_pid_values = VALUES(process.entity_id),
+        Esql.data_stream_namespace.values = VALUES(data_stream.namespace),
         Esql.user_name_values = VALUES(user.name) by Esql.process_path
 
 // Limit to rare instances