[Rule Tuning] Tighten Up Elastic Defend Indexes - Linux (#4446)

rules/linux/execution_shell_via_java_revshell_linux.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/07/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ This detection rule identifies the execution of a Linux shell process from a Jav
 network connection. This behavior may indicate reverse shell activity via a Java application.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Reverse Shell via Java"