From 26d5bad914aaad65d33eb85c54c449a7f149bc13 Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Mon, 31 Jan 2022 21:02:02 -0300
Subject: [PATCH] [Rule Tuning] O365 Exchange Suspicious Mailbox Right
 Delegation (#1741)

* Update persistence_exchange_suspicious_mailbox_right_delegation.toml

* fix year
---
 ...istence_exchange_suspicious_mailbox_right_delegation.toml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml
index e6eea2db8..0f2ec5bbb 100644
--- a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml
+++ b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/05/17"
 maturity = "production"
-updated_date = "2021/10/11"
+updated_date = "2022/01/31"
 integration = "o365"
 
 [rule]
@@ -28,7 +28,8 @@ type = "query"
 
 query = '''
 event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and 
-o365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success
+o365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and
+not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)"
 '''
 
 [[rule.threat]]