[Tuning] Suspicious Kerberos Authentication Ticket Request (#5364)

* Update lateral_movement_credential_access_kerberos_correlation.toml

* Update lateral_movement_credential_access_kerberos_correlation.toml

Author: Samirbous

rules/windows/lateral_movement_credential_access_kerberos_correlation.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/10/28"
 integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2025/10/28"
+updated_date = "2025/11/25"
 
 [rule]
 author = ["Elastic"]
@@ -85,7 +85,12 @@ query = '''
 sequence by source.port, source.ip with maxspan=3s
  [network where host.os.type == "windows" and destination.port == 88 and
   process.executable != null and
-  not process.executable : ("?:\\Windows\\system32\\lsass.exe", "\\device\\harddiskvolume*\\windows\\system32\\lsass.exe") and
+  not process.executable : 
+              ("?:\\Windows\\system32\\lsass.exe", 
+               "\\device\\harddiskvolume*\\windows\\system32\\lsass.exe") and
+  not (process.executable : ("C:\\Windows\\System32\\svchost.exe", 
+                             "C:\\Program Files\\VMware\\VMware View\\Server\\bin\\ws_TomcatService.exe", 
+                             "F:\\IGEL\\RemoteManager\\*\\bin\\tomcat10.exe") and user.id in ("S-1-5-20", "S-1-5-18")) and   
   source.ip != "127.0.0.1" and destination.ip != "::1" and destination.ip != "127.0.0.1"]
  [authentication where host.os.type == "windows" and event.code in ("4768", "4769")]
 '''