From a053be791c30eff760c8ce50285f8a24506905bc Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sat, 10 Sep 2022 09:49:14 +0200
Subject: [PATCH] Update proc_creation_win_user_discovery_get_aduser.yml

---
 .../proc_creation_win_user_discovery_get_aduser.yml             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml b/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml
index 6e5505cdf..663102824 100644
--- a/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml
+++ b/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml
@@ -24,7 +24,7 @@ detection:
     condition: all of selection_*
 falsepositives:
     - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
-level: high
+level: medium
 tags:
     - attack.discovery
     - attack.t1033