diff --git a/custom_analytic_detections/hidden_account_created_dscl.yaml b/custom_analytic_detections/hidden_account_created_dscl.yaml
index 073c0c8..c859524 100644
--- a/custom_analytic_detections/hidden_account_created_dscl.yaml
+++ b/custom_analytic_detections/hidden_account_created_dscl.yaml
@@ -8,7 +8,7 @@ tags:
 snapshotFiles: []
 filter: $event.type == 1 AND
   ($event.process.path.lastPathComponent == "dscl" AND
-  ((ANY $event.process.args == "IsHidden") AND (ANY $event.process.args == "-create") AND (ANY $event.process.args IN {"true", "1", "yes"})))
+  ((ANY $event.process.args == "IsHidden") AND (ANY $event.process.args IN {"-create", "create"}) AND (ANY $event.process.args IN {"true", "1", "yes"})))
 actions:
   - name: Log
 context: []