[Tuning] SDH - Possible Consent Grant Attack via Azure-Registered Application (#4283)

* [Tuning] Possible Consent Grant Attack via Azure-Registered Application

SDH related rule tuning for o365.audit dataset

* removing renamed field from query

rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/09/01"
 integration = ["azure", "o365"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/12/05"
 
 [rule]
 author = ["Elastic"]
@@ -87,8 +87,8 @@ query = '''
 event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and
   (
     azure.activitylogs.operation_name:"Consent to application" or
-    azure.auditlogs.operation_name:"Consent to application" or
-    o365.audit.Operation:"Consent to application."
+    azure.auditlogs.operation_name:"Consent to application" or 
+    event.action:"Consent to application."
   ) and
   event.outcome:(Success or success)
 '''