Reducing to a low level, as this is not a single indicator of compromise. Users and scripts from time sensitive applications such as mfa/oauth will execute net time \\host /set /y

rules/windows/builtin/security/win_susp_time_modification.yml

@@ -8,7 +8,7 @@ references:
   - Live environment caused by malware
   - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616
 date: 2019/02/05
-modified: 2022/04/06
+modified: 2022/08/03
 logsource:
   product: windows
   service: security
@@ -27,7 +27,7 @@ detection:
   condition: selection and not 1 of filter*
 falsepositives:
   - HyperV or other virtualization technologies with binary not listed in filter portion of detection
-level: medium
+level: low
 tags:
   - attack.defense_evasion
   - attack.t1070.006