Following on from this comment, it looks like the SOURCE
object is missing from the SENSITIVE_PROCESS_ACCESS
event.
This means you can’t determine what accessed the sensitive process.
Below is a redacted sample event:
{
"author": "SoteriaSec",
"cat": "Suspicious LSASS Access by {{ index (index .event.EVENTS 1) \"event\" \"SOURCE\" \"FILE_PATH\" }}",
"detect": {
"event": {
"EVENTS": [
{
"event": {
"BASE_ADDRESS": 140700205187072,
"COMMAND_LINE": "C:\\Windows\\system32\\lsass.exe",
"CREATION_TIME": 1751724076897,
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\system32\\lsass.exe",
"HASH": "a4f5fbe1f588c7ac760b0ee406d54e4e02e1acf5efb286abbf75bf9f04bf0485",
"MEMORY_USAGE": 38899712,
"PARENT": {
"FILE_IS_SIGNED": 1,
"FILE_PATH": "\\Device\\HarddiskVolume4\\Windows\\System32\\wininit.exe",
"HASH": "9d045793929738aba4a99d3d48dcb9de8ede24ca31b7319b618942fc5eb27e06",
"MEMORY_USAGE": 7225344,
"PARENT_PROCESS_ID": 520,
"PROCESS_ID": 656,
"THIS_ATOM": "a534f1351f3638c6ea5aca8f68794403",
"THREADS": 1,
"TIMESTAMP": 1752777731334,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PARENT_PROCESS_ID": 656,
"PROCESS_ID": 792,
"THREADS": 9,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "0eaa1f10-d78e-4753-a215-4c5af440d661",
"event_time": 1752777731584,
"event_type": "EXISTING_PROCESS",
"ext_ip": "REDACTED",
"hostname": "REDACTED",
"iid": "413e09ec-930d-4976-80e0-677380577b4d",
"int_ip": "REDACTED",
"latency": 416662873,
"moduleid": 2,
"oid": "ae41fcf5-70a0-4e89-9a97-895d62e0415f",
"parent": "a534f1351f3638c6ea5aca8f68794403",
"plat": 268435456,
"sid": "4de1e678-678b-47c6-8392-4c4396b0b9a4",
"tags": [
"lc:latest",
"server",
"terminal_server"
],
"this": "fe6bbe167ffb4ced27f4398768794403"
}
},
{
"event": {
"ACCESS_FLAGS": 1053712,
"PARENT_PROCESS_ID": 12588,
"PROCESS_ID": 792,
"TARGET": {
"BASE_ADDRESS": 140700205187072,
"COMMAND_LINE": "C:\\Windows\\system32\\lsass.exe",
"CREATION_TIME": 1751724076897,
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\system32\\lsass.exe",
"HASH": "a4f5fbe1f588c7ac760b0ee406d54e4e02e1acf5efb286abbf75bf9f04bf0485",
"MEMORY_USAGE": 38899712,
"PARENT_ATOM": "a534f1351f3638c6ea5aca8f68794403",
"PARENT_PROCESS_ID": 656,
"PROCESS_ID": 792,
"THIS_ATOM": "fe6bbe167ffb4ced27f4398768794403",
"THREADS": 9,
"TIMESTAMP": 1752777731584,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
}
},
"routing": {
"arch": 2,
"did": "",
"event_id": "fd088519-32c5-453c-8266-7886cf2062c2",
"event_time": 1753189837397,
"event_type": "REMOTE_PROCESS_HANDLE",
"ext_ip": "REDACTED",
"hostname": "REDACTED",
"iid": "413e09ec-930d-4976-80e0-677380577b4d",
"int_ip": "REDACTED",
"latency": 4557060,
"moduleid": 2,
"oid": "ae41fcf5-70a0-4e89-9a97-895d62e0415f",
"plat": 268435456,
"sid": "4de1e678-678b-47c6-8392-4c4396b0b9a4",
"tags": [
"lc:latest",
"server",
"terminal_server"
],
"target": "fe6bbe167ffb4ced27f4398768794403",
"this": "edced43a870df3ac6432065a687f9f9a"
}
}
]
},
"routing": {
"arch": 2,
"did": "",
"event_id": "529fe0a9-3d8d-4466-8431-f088f8809144",
"event_time": 1753194394533,
"event_type": "SENSITIVE_PROCESS_ACCESS",
"ext_ip": "REDACTED",
"hostname": "REDACTED",
"iid": "413e09ec-930d-4976-80e0-677380577b4d",
"int_ip": "REDACTED",
"latency": -75,
"moduleid": 2,
"oid": "ae41fcf5-70a0-4e89-9a97-895d62e0415f",
"plat": 268435456,
"sid": "4de1e678-678b-47c6-8392-4c4396b0b9a4",
"tags": [
"lc:latest",
"server",
"terminal_server"
],
"target": "fe6bbe167ffb4ced27f4398768794403",
"this": "f9316ed7ab1392d76c1e4f2a687f9f9a"
}
},
"detect_id": "e2830378-505b-40da-ba7c-0832687f9f9a",
"gen_time": 1753194394457,
"link": "https://app.limacharlie.io/orgs/ae41fcf5-70a0-4e89-9a97-895d62e0415f/sensors/4de1e678-678b-47c6-8392-4c4396b0b9a4/timeline?time=1753194394&selected=f9316ed7ab1392d76c1e4f2a687f9f9a",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "529fe0a9-3d8d-4466-8431-f088f8809144",
"event_time": 1753194394533,
"event_type": "SENSITIVE_PROCESS_ACCESS",
"ext_ip": "REDACTED",
"hostname": "REDACTED",
"iid": "413e09ec-930d-4976-80e0-677380577b4d",
"int_ip": "REDACTED",
"latency": -75,
"moduleid": 2,
"oid": "ae41fcf5-70a0-4e89-9a97-895d62e0415f",
"plat": 268435456,
"sid": "4de1e678-678b-47c6-8392-4c4396b0b9a4",
"tags": [
"lc:latest",
"server",
"terminal_server"
],
"target": "fe6bbe167ffb4ced27f4398768794403",
"this": "f9316ed7ab1392d76c1e4f2a687f9f9a"
},
"source": "ae41fcf5-70a0-4e89-9a97-895d62e0415f.413e09ec-930d-4976-80e0-677380577b4d.4de1e678-678b-47c6-8392-4c4396b0b9a4.10000000.2",
"source_rule": "general.Suspicious LSASS Access",
"ts": 1753194395000
}