From 54f65abdb0ceefd8c600c2e2c8743299ebf642fd Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Mon, 30 Jan 2023 09:14:23 -0300
Subject: [PATCH] [Rule Tuning] Potential Shadow Credentials added to AD Object
 (#2498)

---
 rules/windows/credential_access_shadow_credentials.toml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/credential_access_shadow_credentials.toml b/rules/windows/credential_access_shadow_credentials.toml
index 7add0ef72..6fc57d113 100644
--- a/rules/windows/credential_access_shadow_credentials.toml
+++ b/rules/windows/credential_access_shadow_credentials.toml
@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/21"
+updated_date = "2023/01/27"
 
 [rule]
 author = ["Elastic"]
@@ -62,7 +62,7 @@ type = "query"
 
 query = '''
 event.action:"Directory Service Changes" and event.code:"5136" and
- winlog.event_data.AttributeLDAPDisplayName:"msDS-KeyCredentialLink" and winlog.event_data.AttributeValue :B\:828*
+ winlog.event_data.AttributeLDAPDisplayName:"msDS-KeyCredentialLink" and winlog.event_data.AttributeValue :B\:828* and not winlog.event_data.SubjectUserName: MSOL_*
 '''