modifications in the msds-keycredentiallink attribute can be done legitimately by the azure ad connect synchronization account or the adfs service account. these accounts can be added as exceptions. (from elastic fp section)

source: <a href=https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml>sigma
technicques: t1556

Techniques

Detects possible addition of shadow credentials to an active directory object.

condition: selection
selection:
  AttributeLDAPDisplayName: msDS-KeyCredentialLink
  EventID: 5136