[Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags (#4464)

* [Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags

* Format & order

* Update pyproject.toml

* Update credential_access_cookies_chromium_browsers_debugging.toml

rules/windows/execution_initial_access_foxmail_exploit.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m3
 maturity = "production"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 min_stack_version = "8.14.0"
-updated_date = "2025/01/15"
+updated_date = "2025/02/21"
 
 [rule]
 author = ["Elastic"]
@@ -15,15 +15,15 @@ a malicious email.
 """
 from = "now-9m"
 index = [
-    "winlogbeat-*",
-    "logs-windows.*",
     "endgame-*",
-    "logs-system.security*",
-    "logs-windows.sysmon_operational-*",
-    "logs-sentinel_one_cloud_funnel.*",
-    "logs-m365_defender.event-*",
+    "logs-crowdstrike.fdr*",
     "logs-endpoint.events.process-*",
-    "logs-crowdstrike.fdr*"
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
+    "logs-system.security*",
+    "logs-windows.forwarded*",
+    "logs-windows.sysmon_operational-*",
+    "winlogbeat-*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -40,12 +40,12 @@ tags = [
     "Tactic: Execution",
     "Data Source: Elastic Defend",
     "Data Source: Sysmon",
-    "Data Source: System",
+    "Data Source: Windows Security Event Logs",
     "Data Source: Elastic Endgame",
     "Data Source: SentinelOne",
     "Data Source: Microsoft Defender for Endpoint",
     "Data Source: Crowdstrike",
-    "Resources: Investigation Guide"
+    "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
 type = "eql"