From 718b64f1dfa6148cb2eb4ffdcc42ac4accdd719f Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Thu, 12 Jun 2025 12:11:19 +0100
Subject: [PATCH] Update execution_downloaded_url_file.toml (#4794)

---
 rules/windows/execution_downloaded_url_file.toml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/execution_downloaded_url_file.toml b/rules/windows/execution_downloaded_url_file.toml
index c667ef43f..1e0176989 100644
--- a/rules/windows/execution_downloaded_url_file.toml
+++ b/rules/windows/execution_downloaded_url_file.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/09/02"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/06/11"
 
 [rule]
 author = ["Elastic"]
@@ -31,7 +31,7 @@ type = "eql"
 
 query = '''
 file where host.os.type == "windows" and event.type == "creation" and file.extension == "url"
-   and file.Ext.windows.zone_identifier > 1 and not process.name : "explorer.exe"
+   and file.Ext.windows.zone_identifier == 3 
 '''
 note = """## Triage and analysis