The rule 'Multiple Vault Web Credentials Read' is designed to detect unauthorized access attempts to credentials stored in the Windows Credential Manager. This tool is typically benign, allowing users to store credentials for various services, including websites and applications. However, attackers may exploit this functionality to enumerate or extract credentials stored in these vaults, facilitating lateral movement within networks. This detection utilizes an EQL sequence query to identify two consecutive reads of Windows web password credentials originating from the same process ID (PID) within a span of 1 second. Specifically, the rule flags events for the event code '5382', which indicates reads from the vault, if the resource matches a specified pattern (like 'http*') but excludes well-known benign scenarios such as accesses from 'localhost'. The rule has a moderate risk score of 47, reflecting the potential severity of credential extraction activities. It includes a thorough investigation guide for analyzing flagged events, suggesting steps such as examining the process tied to the suspicious activity and correlating logs with other security events, which is essential for determining the legitimacy of the detected behavior. The content references key MITRE ATT&CK techniques relevant to credential dumping and access strategies, reinforcing the relevance of monitoring such activities.