Update rules/windows/credential_access_lsass_openprocess_api.toml

Aegrah · web-flow · commit 8fb8c553e572 · 2025-12-12T10:43:54.000+01:00
diff --git a/rules/windows/credential_access_lsass_openprocess_api.toml b/rules/windows/credential_access_lsass_openprocess_api.toml
@@ -144,7 +144,7 @@ from logs-endpoint.events.api-*, logs-m365_defender.event-* metadata _id, _versi
 
 // Limit to rare instances
 | where Esql.count_distinct_hosts == 1 and Esql.access_count <= 3
-| keep  Esql.*
+| keep Esql.*
 '''
 
 
