[Rule Tuning] Microsoft Graph First Occurrence of Client Request (#4728)

* tuning 'Microsoft Graph First Occurrence of Client Request'

* updated update date

rules/integrations/azure/initial_access_graph_first_occurrence_of_client_request.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/23"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/04/30"
+updated_date = "2025/05/19"
 
 [rule]
 author = ["Elastic"]
@@ -94,6 +94,9 @@ query = '''
 event.dataset: "azure.graphactivitylogs"
     and event.type: "access"
     and azure.graphactivitylogs.properties.c_idtyp: "user"
+    and azure.graphactivitylogs.properties.client_auth_method: 0
+    and http.response.status_code: 200
+    and url.domain: "graph.microsoft.com"
 '''
 
 
@@ -119,8 +122,7 @@ reference = "https://attack.mitre.org/tactics/TA0001/"
 field = "new_terms_fields"
 value = [
     "azure.graphactivitylogs.properties.app_id",
-    "azure.graphactivitylogs.properties.user_principal_object_id",
-    "azure.tenant_id",
+    "azure.graphactivitylogs.properties.user_principal_object_id"
 ]
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"