diff --git a/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml b/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml
index 712372297..d5bb911ba 100644
--- a/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml
+++ b/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml
@@ -23,6 +23,10 @@ detection:
         # There could be other cases for other tooling add them accordingly
         #AttributeValue|contains: 'B:828'
         #OperationType: '%%14674' # Value Added
+    # As stated in the FP sections it's better to filter out the expected accounts that perform this operation to tighten the logic
+    # Uncomment the filter below and add the account name (or any other specific field) accordingly
+    #filter:
+        #SubjectUserName: "%name%"
     condition: selection
 falsepositives:
     - Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section)