Update win_security_susp_possible_shadow_credentials_added.yml
This commit is contained in:
Nasreddine Bencherchali
@@ -23,6 +23,10 @@ detection:
|
||||
# There could be other cases for other tooling add them accordingly
|
||||
#AttributeValue|contains: 'B:828'
|
||||
#OperationType: '%%14674' # Value Added
|
||||
# As stated in the FP sections it's better to filter out the expected accounts that perform this operation to tighten the logic
|
||||
# Uncomment the filter below and add the account name (or any other specific field) accordingly
|
||||
#filter:
|
||||
#SubjectUserName: "%name%"
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section)
|
||||
|
||||
Reference in New Issue
Block a user