From 87c0788fcaa8cabeff833c79b31af7fc78deb74e Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Wed, 19 Oct 2022 19:04:53 +0200
Subject: [PATCH] Update
 win_security_susp_possible_shadow_credentials_added.yml

---
 .../win_security_susp_possible_shadow_credentials_added.yml   | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml b/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml
index 712372297..d5bb911ba 100644
--- a/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml
+++ b/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml
@@ -23,6 +23,10 @@ detection:
         # There could be other cases for other tooling add them accordingly
         #AttributeValue|contains: 'B:828'
         #OperationType: '%%14674' # Value Added
+    # As stated in the FP sections it's better to filter out the expected accounts that perform this operation to tighten the logic
+    # Uncomment the filter below and add the account name (or any other specific field) accordingly
+    #filter:
+        #SubjectUserName: "%name%"
     condition: selection
 falsepositives:
     - Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section)