From 3b9e927ca882adeeb391f8772832bc3a67ec7c28 Mon Sep 17 00:00:00 2001
From: "Mika Ayenson, PhD" <Mikaayenson@users.noreply.github.com>
Date: Tue, 22 Jul 2025 07:01:45 -0500
Subject: [PATCH] [Rule Tuning] OIDC Discovery URL Changed in Entra ID (#4923)

---
 .../persistence_entra_id_oidc_discovery_url_change.toml     | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml b/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml
index beca73539..9a0b54f4a 100644
--- a/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml
+++ b/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/07/14"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/07/14"
+updated_date = "2025/07/22"
 
 [rule]
 author = ["Elastic"]
@@ -54,10 +54,10 @@ tags = [
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
-type = "query"
+type = "esql"
 
 query = '''
-FROM logs-azure.auditlogs-*
+FROM logs-azure.auditlogs-* metadata _id, _version, _index
 | WHERE event.action == "Authentication Methods Policy Update"
 | EVAL Esql.azure.auditlogs.properties.target_resources.modified_properties.new_value.replace = REPLACE(`azure.auditlogs.properties.target_resources.0.modified_properties.0.new_value`, "\\\\", "")
 | EVAL Esql.azure.auditlogs.properties.target_resources.modified_properties.old_value.replace = REPLACE(`azure.auditlogs.properties.target_resources.0.modified_properties.0.old_value`, "\\\\", "")