[Rule Tuning] Potential Remote Credential Access via Registry (#2511)

* [Rule Tuning] Potential Remote Credential Access via Registry

* Remove WEF index

rules/windows/credential_access_remote_sam_secretsdump.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/21"
+updated_date = "2023/01/31"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies remote access to the registry to potentially dump credential data fro
 registry hive in preparation for credential access and privileges elevation.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-system.*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Remote Credential Access via Registry"
@@ -77,7 +77,7 @@ tags = [
 type = "eql"
 
 query = '''
-sequence by winlog.computer_name, user.id with maxspan=1m
+sequence by host.id, user.id with maxspan=1m
  [authentication where
    event.outcome == "success" and event.action == "logged-in" and
    winlog.logon.type == "Network" and not user.name == "ANONYMOUS LOGON" and