[Tuning] Rare Connection to WebDAV Target (#5415)

Samirbous · web-flow · commit 896b6a214a6f · 2025-12-05T22:31:01.000Z
* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml
diff --git a/rules/windows/credential_access_rare_webdav_destination.toml b/rules/windows/credential_access_rare_webdav_destination.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/04/28"
 integration = ["endpoint", "system", "windows", "m365_defender", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/12/05"
 
 [rule]
 author = ["Elastic"]
@@ -54,16 +54,15 @@ timestamp_override = "event.ingested"
 type = "esql"
 
 query = '''
-from logs-*
+from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-*, logs-windows.*, winlogbeat-*, logs-crowdstrike.fdr*, logs-m365_defender.event-* METADATA _id, _version, _index
 | where
     @timestamp > now() - 8 hours and
     event.category == "process" and
     event.type == "start" and
     process.name == "rundll32.exe" and
     process.command_line like "*DavSetCookie*"
 | keep host.id, process.command_line, user.name
-| grok
-    process.command_line """(?<Esql.server_webdav_cookie>DavSetCookie .* http)"""
+| grok process.command_line """(?<Esql.server_webdav_cookie>DavSetCookie .* http)"""
 | eval
     Esql.server_webdav_cookie_replace = replace(Esql.server_webdav_cookie, "(DavSetCookie | http)", "")
 | where
