From 34d5b268d830ed5184fa4d27bed2d58cb796b0ec Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Tue, 1 Apr 2025 16:06:00 -0300
Subject: [PATCH] [Rule Tuning] O365 Exchange Suspicious Mailbox Right
 Delegation

---
 ...sistence_exchange_suspicious_mailbox_right_delegation.toml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml
index 5069b3e6823..e4563d0d588 100644
--- a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml
+++ b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml
@@ -2,7 +2,7 @@
 creation_date = "2021/05/17"
 integration = ["o365"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/04/01"
 
 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -64,7 +64,7 @@ type = "query"
 query = '''
 event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and
 o365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and
-not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)"
+not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)"
 '''