elastic · shashank-elastic · May 7, 2025 · May 7, 2025 · May 7, 2025 · terrancedejesus
diff --git a/...integrations/azure/collection_entra_auth_broker_sharepoint_access_for_user_principal.toml b/...integrations/azure/collection_entra_auth_broker_sharepoint_access_for_user_principal.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/05/01"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/05/01"
+updated_date = "2025/05/07"
 
 [rule]
 author = ["Elastic"]
@@ -37,7 +37,7 @@ note = """## Triage and analysis
 
 This rule identifies non-interactive sign-ins to SharePoint Online via the Microsoft Authentication Broker application using a refresh token or Primary Refresh Token (PRT). This type of activity may indicate token replay attacks, OAuth abuse, or automated access from previously consented apps or stolen sessions.
 
-This is a [New Terms rule](https://www.elastic.co/guide/en/security/current/new-terms-rules.html) that detects the first occurrence of a user principal name accessing SharePoint Online via the Microsoft Authentication Broker application in the last 14 days.
+This is a [New Terms rule](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) that detects the first occurrence of a user principal name accessing SharePoint Online via the Microsoft Authentication Broker application in the last 14 days.
 
 ### Possible Investigation Steps: