From e7806fc74f7946b09cd325df54c99c21f0c5f690 Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Wed, 2 Apr 2025 09:52:34 -0300
Subject: [PATCH] [Rule Tuning] O365 Exchange Suspicious Mailbox Right
 Delegation (#4589)

---
 ...sistence_exchange_suspicious_mailbox_right_delegation.toml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml
index 5069b3e68..e4563d0d5 100644
--- a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml
+++ b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml
@@ -2,7 +2,7 @@
 creation_date = "2021/05/17"
 integration = ["o365"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/04/01"
 
 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -64,7 +64,7 @@ type = "query"
 query = '''
 event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and
 o365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and
-not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)"
+not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)"
 '''