Update credential_access_rare_webdav_destination.toml

Samirbous · web-flow · commit 5e232619b268 · 2025-12-05T11:26:17.000Z
diff --git a/rules/windows/credential_access_rare_webdav_destination.toml b/rules/windows/credential_access_rare_webdav_destination.toml
@@ -54,7 +54,7 @@ timestamp_override = "event.ingested"
 type = "esql"
 
 query = '''
-from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-*, logs-crowdstrike.fdr*, logs-m365_defender.event-* METADATA _id, _version, _index
+from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-*, logs-windows.*, winlogbeat-*, logs-crowdstrike.fdr*, logs-m365_defender.event-* METADATA _id, _version, _index
 | where
     @timestamp > now() - 8 hours and
     event.category == "process" and
