Update rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml

Co-authored-by: Terrance DeJesus <[email protected]>

Author: Samirbous

rules/integrations/azure/credential_access_azure_entra_susp_device_code_signin.toml

@@ -89,6 +89,10 @@ from logs-azure.signinlogs-* metadata _id, _version, _index
         Esql.azure_signinlogs_properties_client_app_values = values(azure.signinlogs.properties.app_id),
         Esql.azure_signinlogs_properties_resource_display_name_values = values(azure.signinlogs.properties.resource_display_name),
         Esql.azure_signinlogs_properties_auth_requirement_values = values(azure.signinlogs.properties.authentication_requirement),
+        Esql.azure_signinlogs_properties_tenant_id = values(azure.signinlogs.properties.tenant_id),
+        Esql.azure_signinlogs_properties_status_error_code_values = values(azure.signinlogs.properties.status.error_code),
+        Esql.message_values = values(message),
+        Esql.azure_signinlogs_properties_resource_id_values = values(azure.signinlogs.properties.resource_id),
         Esql.source_ip_values = VALUES(source.ip) by azure.signinlogs.properties.session_id, azure.signinlogs.identity
 
 | where Esql.is_interactive >= 2 and Esql.is_non_interactive >= 1 and (Esql.dc.source_ip >= 2 or Esql.dc.user_agents >= 2)