Update credential_access_forced_authentication.toml

Author: w0rk3r

rules/cross-platform/credential_access_forced_authentication.toml

@@ -44,7 +44,7 @@ type = "eql"
 
 query = '''
 sequence with maxspan=15s
-[network where host.os.type != "windows" and event.action == "connection_attempted" and destination.port == 445] by host.ip
+[network where host.os.type == "linux" and event.action == "connection_attempted" and destination.port == 445] by host.ip
 [authentication where host.os.type == "windows" and event.action == "logged-in" and
  winlog.event_data.AuthenticationPackageName : "NTLM" and winlog.event_data.SubjectUserSid == "S-1-0-0"] by source.ip
 '''