I\'ve got a custom detection in Defender ATP that looks like this:
DeviceEvents | where Timestamp > ago(1h) | where ActionType startswith \'AsrLsassCredential
