[Rule Tuning] OIDC Discovery URL Changed in Entra ID (#4923)

rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/07/14"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/07/14"
+updated_date = "2025/07/22"
 
 [rule]
 author = ["Elastic"]
@@ -54,10 +54,10 @@ tags = [
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
-type = "query"
+type = "esql"
 
 query = '''
-FROM logs-azure.auditlogs-*
+FROM logs-azure.auditlogs-* metadata _id, _version, _index
 | WHERE event.action == "Authentication Methods Policy Update"
 | EVAL Esql.azure.auditlogs.properties.target_resources.modified_properties.new_value.replace = REPLACE(`azure.auditlogs.properties.target_resources.0.modified_properties.0.new_value`, "\\\\", "")
 | EVAL Esql.azure.auditlogs.properties.target_resources.modified_properties.old_value.replace = REPLACE(`azure.auditlogs.properties.target_resources.0.modified_properties.0.old_value`, "\\\\", "")