diff --git a/rules/windows/credential_access_rare_webdav_destination.toml b/rules/windows/credential_access_rare_webdav_destination.toml
index 48678e009..89cddbac0 100644
--- a/rules/windows/credential_access_rare_webdav_destination.toml
+++ b/rules/windows/credential_access_rare_webdav_destination.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/04/28"
 integration = ["endpoint", "system", "windows", "m365_defender", "crowdstrike"]
 maturity = "production"
-updated_date = "2026/01/13"
+updated_date = "2026/01/23"
 
 [rule]
 author = ["Elastic"]
@@ -62,21 +62,24 @@ from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-sys
     process.name == "rundll32.exe" and
     process.command_line like "*DavSetCookie*"
 | keep host.id, process.command_line, user.name, user.id
-| grok process.command_line """(?<Esql.server_webdav_server>([a-zA-Z0-9-]{4,}\.[a-zA-Z]{2,3}@SSL)|((\d{1,3}\.){3}\d{1,3}))"""
+// extract domain or IP address from process cmdline
+| grok process.command_line """(?<Esql.server_webdav_server>((http|https)://[a-zA-Z0-9-\.]{1,}\.[a-zA-Z]{2,3}[@\/]+)|(\b(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\b)[@\/]+)"""
+// remove sub domains from URL
+| eval Esql.server_webdav_server = REPLACE(Esql.server_webdav_server, """((http|https)://[a-zA-Z0-9-]{1,}\.)""", "")
+| eval Esql.server_webdav_server = REPLACE(Esql.server_webdav_server, "/", "")
 | where
     Esql.server_webdav_server is not null and
-    not Esql.server_webdav_server in ("www.google.com@SSL", "www.elastic.co@SSL", "sharepoint.com@SSL", "live.net@SSL", "google.com@SSL", "SHAREPOINT.COM@SSL", "github.com@SSL") and
+    not Esql.server_webdav_server in ("www.google.com", "www.elastic.co", "sharepoint.com", "live.net", "google.com", "SHAREPOINT.COM", "github.com") and
+    // excludes private IP ranges
     not Esql.server_webdav_server rlike """(10\.(\d{1,3}\.){2}\d{1,3}|172\.(1[6-9]|2\d|3[0-1])\.(\d{1,3}\.)\d{1,3}|192\.168\.(\d{1,3}\.)\d{1,3})"""
 | stats
     Esql.event_count = count(*),
     Esql.host_id_count_distinct = count_distinct(host.id),
-    Esql.user_id_count_distinct = count_distinct(user.id),
     Esql.host_id_values = values(host.id),
     Esql.user_name_values = values(user.name)
   by Esql.server_webdav_server
 | where
-    Esql.host_id_count_distinct == 1 and
-    Esql.event_count <= 3 and Esql.user_id_count_distinct == 1
+    Esql.host_id_count_distinct == 1 and Esql.event_count <= 3
 | eval host.id = MV_MIN(Esql.host_id_values), user.name = MV_MIN(Esql.user_name_values), destination.domain = MV_MIN(Esql.server_webdav_server)
 | KEEP host.id, user.name, destination.domain, Esql.*
 '''