[Rule Tuning] Modification of WDigest Security Provider (#2201)

excluding svchost.exe running as system (main src of FPs for this use case).

rules/windows/credential_access_mod_wdigest_security_provider.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/19"
 maturity = "production"
-updated_date = "2022/05/09"
+updated_date = "2022/07/29"
 
 [rule]
 author = ["Elastic"]
@@ -93,7 +93,8 @@ query = '''
 registry where event.type : ("creation", "change") and
     registry.path :
         "HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential"
-    and registry.data.strings : ("1", "0x00000001")
+    and registry.data.strings : ("1", "0x00000001") and
+    not (process.executable : "?:\\Windows\\System32\\svchost.exe" and user.id : "S-1-5-18")
 '''