changed kibana alert rule name to rule ID

Author: terrancedejesus

rules/cross-platform/initial_access_azure_o365_with_network_alert.toml

@@ -82,7 +82,7 @@ from logs-o365.audit-*, logs-azure.signinlogs-*, .alerts-security.*
 | where @timestamp > now() - 8 hours
 // filter for azure or m365 sign-in and external alerts with source.ip not null
 | where to_ip(source.ip) is not null
-  and (event.dataset in ("o365.audit", "azure.signinlogs") or kibana.alert.rule.name == "External Alerts")
+  and (event.dataset in ("o365.audit", "azure.signinlogs") or kibana.alert.rule.rule_id == "eb079c62-4481-4d6e-9643-3ca499df7aaa")
   and not cidr_match(
     to_ip(source.ip),
     "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29",
@@ -93,7 +93,7 @@ from logs-o365.audit-*, logs-azure.signinlogs-*, .alerts-security.*
   )
 
 // capture relevant raw fields
-| keep source.ip, event.action, event.outcome, event.dataset, kibana.alert.rule.name, event.category
+| keep source.ip, event.action, event.outcome, event.dataset, kibana.alert.rule.rule_id, event.category
 
 // classify each source ip based on alert type
 | eval
@@ -109,7 +109,7 @@ from logs-o365.audit-*, logs-azure.signinlogs-*, .alerts-security.*
     Esql.source_ip_network_alert_case_count_distinct = count_distinct(Esql.source_ip_network_alert_case),
     Esql.event_dataset_count_distinct = count_distinct(event.dataset),
     Esql.event_dataset_values = values(event.dataset),
-    Esql.kibana_alert_rule_name_values = values(kibana.alert.rule.name),
+    Esql.kibana_alert_rule_id_values = values(kibana.alert.rule.rule_id),
     Esql.event_category_values = values(event.category)
   by Esql.source_ip = to_ip(source.ip)