adding metadata query fields

Author: imays11

rules/integrations/aws/privilege_escalation_sts_role_chaining.toml

@@ -47,7 +47,7 @@ timestamp_override = "event.ingested"
 type = "esql"
 
 query = '''
-from logs-aws.cloudtrail-*
+from logs-aws.cloudtrail-* metadata _id, _version, _index
 
 // filter for AssumeRole API calls where access key id is a short term token beginning with ASIA
 | where event.dataset == "aws.cloudtrail" and event.provider == "sts.amazonaws.com" and event.action == "AssumeRole" and aws.cloudtrail.resources.account_id == aws.cloudtrail.recipient_account_id and aws.cloudtrail.user_identity.access_key_id like "ASIA*"