[Rule Tuning] Adjust Index Pattern on Windows rules to support WEF (#…

…2438)

* [Rule Tuning] Adjust Index Pattern on Windows rules to support WEF

* s/host.id/winlog.computer_name

Removed changes from:
- rules/windows/credential_access_bruteforce_admin_account.toml
- rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml
- rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml
- rules/windows/credential_access_dcsync_replication_rights.toml
- rules/windows/credential_access_disable_kerberos_preauth.toml
- rules/windows/credential_access_ldap_attributes.toml
- rules/windows/credential_access_lsass_memdump_handle_access.toml
- rules/windows/credential_access_remote_sam_secretsdump.toml
- rules/windows/credential_access_saved_creds_vault_winlog.toml
- rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
- rules/windows/credential_access_shadow_credentials.toml
- rules/windows/credential_access_spn_attribute_modified.toml
- rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
- rules/windows/defense_evasion_clearing_windows_security_logs.toml
- rules/windows/discovery_privileged_localgroup_membership.toml
- rules/windows/lateral_movement_remote_service_installed_winlog.toml
- rules/windows/lateral_movement_remote_task_creation_winlog.toml
- rules/windows/lateral_movement_service_control_spawned_script_int.toml
- rules/windows/persistence_ad_adminsdholder.toml
- rules/windows/persistence_dontexpirepasswd_account.toml
- rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
- rules/windows/persistence_remote_password_reset.toml
- rules/windows/persistence_scheduled_task_creation_winlog.toml
- rules/windows/persistence_scheduled_task_updated.toml
- rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
- rules/windows/persistence_service_windows_service_winlog.toml
- rules/windows/persistence_temp_scheduled_task.toml
- rules/windows/persistence_user_account_added_to_privileged_group_ad.toml
- rules/windows/privilege_escalation_create_process_as_different_user.toml
- rules/windows/privilege_escalation_credroaming_ldap.toml
- rules/windows/privilege_escalation_group_policy_iniscript.toml
- rules/windows/privilege_escalation_group_policy_privileged_groups.toml
- rules/windows/privilege_escalation_group_policy_scheduled_task.toml
- rules/windows/privilege_escalation_krbrelayup_service_creation.toml
- rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
- rules/windows/privilege_escalation_suspicious_dnshostname_update.toml
- rules/windows/privilege_escalation_windows_service_via_unusual_client.toml

(selectively cherry picked from commit 9c1bd50)

rules/windows/persistence_user_account_creation_event_logs.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/04"
 maturity = "development"
-updated_date = "2022/11/01"
+updated_date = "2022/12/21"
 
 [rule]
 author = ["Skoetting"]
@@ -16,7 +16,7 @@ false_positives = [
     behavior is causing false positives, it can be exempted from the rule.
     """,
 ]
-index = ["winlogbeat-*", "logs-system.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Windows User Account Creation"