From f9faeacb5ae6419df130dbc8a33dae27017e3751 Mon Sep 17 00:00:00 2001
From: Borna Talebi <49802660+bornatalebi@users.noreply.github.com>
Date: Tue, 12 Jul 2022 23:58:40 +0430
Subject: [PATCH] Update win_account_discovery.yml

---
 rules/windows/builtin/security/win_account_discovery.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/builtin/security/win_account_discovery.yml b/rules/windows/builtin/security/win_account_discovery.yml
index d591f69c0..1ee5a15cc 100644
--- a/rules/windows/builtin/security/win_account_discovery.yml
+++ b/rules/windows/builtin/security/win_account_discovery.yml
@@ -33,7 +33,7 @@ detection:
           - '-555'
         - ObjectName|contains: 'admin'
     filter:
-        - SubjectUserName|endswith: '$'
+        SubjectUserName|endswith: '$'
     condition: selection and selection_object and not filter
 falsepositives:
     - If source account name is not an admin then its super suspicious