[Rule Tuning] Tighten Up Elastic Defend Indexes - Linux (#4446)

rules/linux/execution_shell_evasion_linux_binary.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/05/06"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/17"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ system shell. The activity of spawning a shell from a binary is not common behav
 and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Linux Restricted Shell Breakout via Linux Binary(s)"