Update reconnaissance_web_server_unusual_user_agents.toml

Author: Aegrah

rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml

@@ -72,14 +72,13 @@ from
     @timestamp,
     event.dataset,
     user_agent.original,
-    url.path,
     source.ip,
     agent.id,
     host.name,
 	Esql_url_lower
 | stats
     Esql.event_count = count(),
-    Esql.url_path_count_distinct = count_distinct(url.path),
+    Esql.url_path_count_distinct = count_distinct(Esql_url_lower),
     Esql.host_name_values = values(host.name),
     Esql.agent_id_values = values(agent.id),
     Esql.url_path_values = values(Esql_url_lower),