From d8d898d12dbf5f48874198e4df06ce3c7a1959b9 Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Mon, 16 Jun 2025 08:01:45 -0300
Subject: [PATCH] [Rule Tuning] Outlook Home Page Registry Modification (#4798)

---
 .../command_and_control_outlook_home_page.toml        | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/rules/windows/command_and_control_outlook_home_page.toml b/rules/windows/command_and_control_outlook_home_page.toml
index 4486f3e47..b301820e2 100644
--- a/rules/windows/command_and_control_outlook_home_page.toml
+++ b/rules/windows/command_and_control_outlook_home_page.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/08/01"
 integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/06/12"
 
 [rule]
 author = ["Elastic"]
@@ -82,12 +82,9 @@ type = "eql"
 query = '''
 registry where host.os.type == "windows" and event.action != "deletion" and registry.value : "URL" and
     registry.path : (
-        "HKCU\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL",
-        "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL",
-        "HKU\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL",
-        "\\REGISTRY\\USER\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL",
-        "USER\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL"
-    ) and registry.data.strings : "*http*"
+        "*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\*",
+        "*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Today\\*"
+    ) and registry.data.strings : "*://*"
 '''