fixing double header in investigation notes (#4490)

Author: terrancedejesus

rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/10/14"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/02/18"
+updated_date = "2025/02/21"
 
 [rule]
 author = ["Elastic", "Matteo Potito Giorgio"]
@@ -19,8 +19,6 @@ license = "Elastic License v2"
 name = "First Occurrence of Entra ID Auth via DeviceCode Protocol"
 note = """## Triage and analysis
 
-## Triage and Analysis
-
 ### Investigating First Occurrence of Entra ID Auth via DeviceCode Protocol
 
 This rule detects the first instance of a user authenticating via the **DeviceCode** authentication protocol within a **14-day window**. The **DeviceCode** authentication workflow is designed for devices that lack keyboards, such as IoT devices and smart TVs. However, adversaries can abuse this mechanism by phishing users and stealing authentication tokens, leading to unauthorized access.