Update rules/windows/credential_access_web_config_file_access.toml

Author: w0rk3r

rules/windows/credential_access_web_config_file_access.toml

@@ -27,9 +27,6 @@ Web.config files are crucial in Windows environments, storing sensitive data lik
 
 ### Possible investigation steps
 
-- Review the alert details to confirm the event category is 'file', the host operating system is 'Windows', and the event action is 'open', as specified in the query.
-- Examine the file path to ensure it includes 'VirtualDirectories', indicating the web.config file is accessed in a potentially sensitive directory.
-- Check the timestamp of the access event to determine if it aligns with normal operational hours or if it occurred during unusual times, which might suggest unauthorized access.
 - Investigate the user account associated with the access event to verify if the account has legitimate reasons to access the web.config file or if it might be compromised.
 - Analyze recent activity from the same user or IP address to identify any other suspicious behavior or access patterns that could indicate a broader security incident.
 - Review system logs and network traffic around the time of the alert to identify any related anomalies or signs of exploitation attempts, such as unusual database queries or web server requests.