[Rule Tuning] Suspicious Process Execution via Renamed PsExec Executable (#502)

* Converted suspicious execution via psexec to EQL

* adjusted procname

* eql syntax

* ecs_version

rules/windows/execution_suspicious_psexesvc.toml

@@ -11,20 +11,18 @@ evade detection.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
-language = "kuery"
+language = "eql"
 license = "Elastic License"
 name = "Suspicious Process Execution via Renamed PsExec Executable"
 risk_score = 47
 rule_id = "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
-type = "query"
+type = "eql"
 
 query = '''
-event.category:process and event.type:(start or process_started) and
-  process.pe.original_file_name:(psexesvc.exe or PSEXESVC.exe) and
-  process.parent.name:services.exe and
-  not process.name:(psexesvc.exe or PSEXESVC.exe)
+process where event.type in ("start", "process_started", "info") and
+  process.pe.original_file_name : "psexesvc.exe" and not process.name : "PSEXESVC.exe"
 '''