Getting Alerts associated with the action read_security_data. This indicates that a process is attempting to access sensitive security information on the endpoint. 

• Carbon Black Cloud Windows Sensor: All Supported Versions
• Windows OS: All Supported Versions

While often malicious, these alerts can be triggered by legitimate software as well

• Security Scanners/Antivirus: Vulnerability or compliance scanners that perform system audits.
• Monitoring Tools: Performance monitors or system utilities (like Sysinternals tools) that may request broad memory access.
• Administrative Agents: Remote management agents (like SCCM, Tanium, or specialized backup agents) that interact with user sessions.

• Check the process path and name
• Check if the process has a valid digital signature
• Determine if this is expected behavior in the environment
  • If expected behavior determine if an exclusion or process reputation change is needed, or if the alert needs to be dismissed

This can also occur if an application is scanning lsass.exe