diff --git a/rules/windows/credential_access_rare_webdav_destination.toml b/rules/windows/credential_access_rare_webdav_destination.toml
index 5d061bbcd..48678e009 100644
--- a/rules/windows/credential_access_rare_webdav_destination.toml
+++ b/rules/windows/credential_access_rare_webdav_destination.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/04/28"
 integration = ["endpoint", "system", "windows", "m365_defender", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/12/05"
+updated_date = "2026/01/13"
 
 [rule]
 author = ["Elastic"]
@@ -61,24 +61,24 @@ from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-sys
     event.type == "start" and
     process.name == "rundll32.exe" and
     process.command_line like "*DavSetCookie*"
-| keep host.id, process.command_line, user.name
-| grok process.command_line """(?<Esql.server_webdav_cookie>DavSetCookie .* http)"""
-| eval
-    Esql.server_webdav_cookie_replace = replace(Esql.server_webdav_cookie, "(DavSetCookie | http)", "")
+| keep host.id, process.command_line, user.name, user.id
+| grok process.command_line """(?<Esql.server_webdav_server>([a-zA-Z0-9-]{4,}\.[a-zA-Z]{2,3}@SSL)|((\d{1,3}\.){3}\d{1,3}))"""
 | where
-    Esql.server_webdav_cookie_replace is not null and
-    Esql.server_webdav_cookie_replace rlike """(([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,3}(@SSL.*)*|(\d{1,3}\.){3}\d{1,3})""" and
-    not Esql.server_webdav_cookie_replace in ("www.google.com@SSL", "www.elastic.co@SSL") and
-    not Esql.server_webdav_cookie_replace rlike """(10\.(\d{1,3}\.){2}\d{1,3}|172\.(1[6-9]|2\d|3[0-1])\.(\d{1,3}\.)\d{1,3}|192\.168\.(\d{1,3}\.)\d{1,3})"""
+    Esql.server_webdav_server is not null and
+    not Esql.server_webdav_server in ("www.google.com@SSL", "www.elastic.co@SSL", "sharepoint.com@SSL", "live.net@SSL", "google.com@SSL", "SHAREPOINT.COM@SSL", "github.com@SSL") and
+    not Esql.server_webdav_server rlike """(10\.(\d{1,3}\.){2}\d{1,3}|172\.(1[6-9]|2\d|3[0-1])\.(\d{1,3}\.)\d{1,3}|192\.168\.(\d{1,3}\.)\d{1,3})"""
 | stats
     Esql.event_count = count(*),
     Esql.host_id_count_distinct = count_distinct(host.id),
+    Esql.user_id_count_distinct = count_distinct(user.id),
     Esql.host_id_values = values(host.id),
     Esql.user_name_values = values(user.name)
-  by Esql.server_webdav_cookie_replace
+  by Esql.server_webdav_server
 | where
     Esql.host_id_count_distinct == 1 and
-    Esql.event_count <= 3
+    Esql.event_count <= 3 and Esql.user_id_count_distinct == 1
+| eval host.id = MV_MIN(Esql.host_id_values), user.name = MV_MIN(Esql.user_name_values), destination.domain = MV_MIN(Esql.server_webdav_server)
+| KEEP host.id, user.name, destination.domain, Esql.*
 '''