diff --git a/rules/cross-platform/credential_access_forced_authentication_pipes.toml b/rules/cross-platform/credential_access_forced_authentication_pipes.toml
index aa81bb500..db0ec420c 100644
--- a/rules/cross-platform/credential_access_forced_authentication_pipes.toml
+++ b/rules/cross-platform/credential_access_forced_authentication_pipes.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/07/23"
 integration = ["endpoint", "system"]
 maturity = "production"
-updated_date = "2024/08/09"
+updated_date = "2024/10/01"
 
 [rule]
 author = ["Elastic"]
@@ -57,8 +57,8 @@ type = "eql"
 
 query = '''
 sequence with maxspan=15s
-[network where host.os.type == "linux" and event.action == "connection_attempted" and destination.port == 445] by host.ip
-[file where host.os.type == "windows" and event.code == "5145" and file.name : ("Spoolss", "netdfs", "lsarpc", "lsass", "netlogon", "samr", "efsrpc", "FssagentRpc")] by source.ip
+[network where host.os.type == "linux" and event.action == "connection_attempted" and destination.port == 445 and not startswith~(string(destination.ip), string(host.ip))] by host.ip, data_stream.namespace
+[file where host.os.type == "windows" and event.code == "5145" and file.name : ("Spoolss", "netdfs", "lsarpc", "lsass", "netlogon", "samr", "efsrpc", "FssagentRpc")] by source.ip, data_stream.namespace
 '''