Update rule dates and investigation guide headers

- Set updated_date to 2025/12/10 for all modified rules
- Fix investigation guide headers to match actual rule names
- Ensures compliance with test_rule_change_has_updated_date
- Ensures compliance with test_investigation_guide_uses_rule_name

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: terrancedejesus

rules/cross-platform/initial_access_azure_o365_with_network_alert.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/29"
 integration = ["azure", "o365"]
 maturity = "production"
-updated_date = "2025/07/30"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]
@@ -22,7 +22,7 @@ license = "Elastic License v2"
 name = "M365 or Entra ID Identity Sign-in from a Suspicious Source"
 note = """## Triage and analysis
 
-### Investigating Microsoft 365 or Entra ID Sign-in from a Suspicious Source
+### Investigating M365 or Entra ID Identity Sign-in from a Suspicious Source
 
 #### Possible investigation steps
 

rules/integrations/azure/collection_entra_id_auth_broker_sharepoint_access_for_user_principal.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/05/01"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/10/01"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]

rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/05/06"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/10/01"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]

rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/09/06"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/10/01"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]

rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml

@@ -27,7 +27,7 @@ license = "Elastic License v2"
 name = "Entra ID Excessive Account Lockouts Detected"
 note = """## Triage and analysis
 
-### Investigating Microsoft Entra ID Excessive Account Lockouts Detected
+### Investigating Entra ID Excessive Account Lockouts Detected
 
 This rule detects a high number of sign-in failures due to account lockouts (error code `50053`) in Microsoft Entra ID sign-in logs. These lockouts are typically caused by repeated authentication failures, often as a result of brute-force tactics such as password spraying, credential stuffing, or automated guessing. This detection is time-bucketed and aggregates attempts to identify bursts or coordinated campaigns targeting multiple users.
 

rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/09/06"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/10/01"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]

rules/integrations/azure/credential_access_entra_id_suspicious_signin.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/28"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/10/01"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]

rules/integrations/azure/credential_access_entra_id_totp_brute_force_attempts.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/12/11"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/10/01"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]

rules/integrations/azure/credential_access_key_vault_excessive_retrieval.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/07/10"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/10/14"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]

rules/integrations/azure/credential_access_key_vault_retrieval_from_rare_identity.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/07/10"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/10/01"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]