Update rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml

Co-authored-by: Terrance DeJesus <[email protected]>

Author: Samirbous

rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml

@@ -79,6 +79,7 @@ from logs-azure.signinlogs-* metadata _id, _version, _index
        Esql.non_interactive_logon = CASE(azure.signinlogs.category ==  "NonInteractiveUserSignInLogs", source.ip, null)
 
 | stats Esql.count.logon = count(*),
+        Esql.timestamp_values = values(@timestamp),
         Esql.dc.source_ip = count_distinct(source.ip),
         Esql.is_interactive = count(Esql.interactive_logon),
         Esql.is_non_interactive = count(Esql.non_interactive_logon),