From 896b6a214a6f079b93e9f67c2a6e8f7e86c156be Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Fri, 5 Dec 2025 22:31:01 +0000
Subject: [PATCH] [Tuning] Rare Connection to WebDAV Target (#5415)

* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml
---
 .../windows/credential_access_rare_webdav_destination.toml | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/rules/windows/credential_access_rare_webdav_destination.toml b/rules/windows/credential_access_rare_webdav_destination.toml
index 072af9698..5d061bbcd 100644
--- a/rules/windows/credential_access_rare_webdav_destination.toml
+++ b/rules/windows/credential_access_rare_webdav_destination.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/04/28"
 integration = ["endpoint", "system", "windows", "m365_defender", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/12/05"
 
 [rule]
 author = ["Elastic"]
@@ -54,7 +54,7 @@ timestamp_override = "event.ingested"
 type = "esql"
 
 query = '''
-from logs-*
+from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-*, logs-windows.*, winlogbeat-*, logs-crowdstrike.fdr*, logs-m365_defender.event-* METADATA _id, _version, _index
 | where
     @timestamp > now() - 8 hours and
     event.category == "process" and
@@ -62,8 +62,7 @@ from logs-*
     process.name == "rundll32.exe" and
     process.command_line like "*DavSetCookie*"
 | keep host.id, process.command_line, user.name
-| grok
-    process.command_line """(?<Esql.server_webdav_cookie>DavSetCookie .* http)"""
+| grok process.command_line """(?<Esql.server_webdav_cookie>DavSetCookie .* http)"""
 | eval
     Esql.server_webdav_cookie_replace = replace(Esql.server_webdav_cookie, "(DavSetCookie | http)", "")
 | where