Apply suggestions from code review

Co-authored-by: Samirbous <[email protected]>

Author: w0rk3r

rules/windows/credential_access_kerberos_coerce.toml

@@ -89,11 +89,11 @@ tags = [
     "Data Source: Windows Security Event Logs"
 ]
 timestamp_override = "event.ingested"
-type = "eql"
+type = "query"
 
 query = '''
-any where host.os.type == "windows" and event.code == "5137" and
-    winlog.event_data.ObjectDN : "*UWhRCA*BAAAA*"
+(event.code:4662 and winlog.event_data.AdditionalInfo : *1UWhR*BAAAA,*MicrosoftDNS*) or 
+(event.code:5137 and winlog.event_data.ObjectDN:*1UWhR*BAAAA,*MicrosoftDNS*)
 '''