It looks like the SOURCE item doesn’t always appear in these events, so the detection will trigger, but the detection name will be the literal name above Suspicious LSASS Access by {{ index (index .event.EVENTS 1) "event" "SOURCE" "FILE_PATH" }} when the SOURCE object isn’t present.
This is with LC Sensor version 4.33.11