Update rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml

Co-authored-by: Terrance DeJesus <[email protected]>

Author: Samirbous

rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml

@@ -90,7 +90,7 @@ from logs-azure.signinlogs-* metadata _id, _version, _index
         Esql.source_ip_values = VALUES(source.ip) by azure.signinlogs.properties.session_id, azure.signinlogs.identity
 
 | where Esql.is_interactive >= 2 and Esql.is_non_interactive >= 1 and (Esql.dc.source_ip >= 2 or Esql.dc.user_agents >= 2)
-| keep @timestamp,
+| keep
        Esql.*,
        azure.signinlogs.properties.session_id,
        azure.signinlogs.identity