Hi,
Thank you for the reply. Yes, this is what I saw through ProcMon after posting this.
I have tried testing the rule on my endpoint but it does not trigger. I also checked there are no exclusions related to this, or Events related to lsass.exe with UserAddToGroup operation.