diff --git a/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml b/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml
index d73d391f8e3..e5e17e7b391 100644
--- a/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml
+++ b/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/10/14"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/02/18"
+updated_date = "2025/02/21"
 
 [rule]
 author = ["Elastic", "Matteo Potito Giorgio"]
@@ -19,8 +19,6 @@ license = "Elastic License v2"
 name = "First Occurrence of Entra ID Auth via DeviceCode Protocol"
 note = """## Triage and analysis
 
-## Triage and Analysis
-
 ### Investigating First Occurrence of Entra ID Auth via DeviceCode Protocol
 
 This rule detects the first instance of a user authenticating via the **DeviceCode** authentication protocol within a **14-day window**. The **DeviceCode** authentication workflow is designed for devices that lack keyboards, such as IoT devices and smart TVs. However, adversaries can abuse this mechanism by phishing users and stealing authentication tokens, leading to unauthorized access.