[Tuning] Rare Connection to WebDAV Target (#5415)

* Update credential_access_rare_webdav_destination.toml * Update credential_access_rare_webdav_destination.toml
2025-12-05 22:31:01 +00:00
parent cea2f43732
commit 896b6a214a
1 changed files with 3 additions and 4 deletions
@@ -2,7 +2,7 @@
 creation_date = "2025/04/28"
 integration = ["endpoint", "system", "windows", "m365_defender", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/12/05"

 [rule]
 author = ["Elastic"]
@@ -54,7 +54,7 @@ timestamp_override = "event.ingested"
 type = "esql"

 query = '''
-from logs-*
+from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-*, logs-windows.*, winlogbeat-*, logs-crowdstrike.fdr*, logs-m365_defender.event-* METADATA _id, _version, _index
 | where
    @timestamp > now() - 8 hours and
    event.category == "process" and
@@ -62,8 +62,7 @@ from logs-*
    process.name == "rundll32.exe" and
    process.command_line like "*DavSetCookie*"
 | keep host.id, process.command_line, user.name
-| grok
-    process.command_line """(?<Esql.server_webdav_cookie>DavSetCookie .* http)"""
+| grok process.command_line """(?<Esql.server_webdav_cookie>DavSetCookie .* http)"""
 | eval
    Esql.server_webdav_cookie_replace = replace(Esql.server_webdav_cookie, "(DavSetCookie | http)", "")
 | where