Update rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml

Author: Aegrah

rules/linux/initial_access_successful_ssh_authentication_by_unusual_ip.toml

@@ -12,7 +12,7 @@ address that has not been authenticated in the last 10 days. This behavior may i
 attacker attempting to gain access to the system using a valid account.
 """
 from = "now-9m"
-index = ["logs-system.auth-*"]
+index = ["logs-system.auth-*", "filebeat-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Successful SSH Authentication from Unusual IP Address"