From 5e12f05a3667014f976337eb57668b09d0c9ffda Mon Sep 17 00:00:00 2001
From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Date: Tue, 25 Mar 2025 09:08:13 -0400
Subject: [PATCH] fixing double header in investigation notes (#4490)

---
 .../credential_access_first_time_seen_device_code_auth.toml   | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml b/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml
index d73d391f8..e5e17e7b3 100644
--- a/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml
+++ b/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/10/14"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/02/18"
+updated_date = "2025/02/21"
 
 [rule]
 author = ["Elastic", "Matteo Potito Giorgio"]
@@ -19,8 +19,6 @@ license = "Elastic License v2"
 name = "First Occurrence of Entra ID Auth via DeviceCode Protocol"
 note = """## Triage and analysis
 
-## Triage and Analysis
-
 ### Investigating First Occurrence of Entra ID Auth via DeviceCode Protocol
 
 This rule detects the first instance of a user authenticating via the **DeviceCode** authentication protocol within a **14-day window**. The **DeviceCode** authentication workflow is designed for devices that lack keyboards, such as IoT devices and smart TVs. However, adversaries can abuse this mechanism by phishing users and stealing authentication tokens, leading to unauthorized access.