From 057122df41b56d13db524c829eb64cb19cacd53d Mon Sep 17 00:00:00 2001
From: Shashank K S <Shashank.Suryanarayana@elastic.co>
Date: Wed, 7 May 2025 16:41:28 +0530
Subject: [PATCH 1/2] Fix new term doc broken link

---
 ..._entra_auth_broker_sharepoint_access_for_user_principal.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/integrations/azure/collection_entra_auth_broker_sharepoint_access_for_user_principal.toml b/rules/integrations/azure/collection_entra_auth_broker_sharepoint_access_for_user_principal.toml
index 2c32dec20df..f83dc92298b 100644
--- a/rules/integrations/azure/collection_entra_auth_broker_sharepoint_access_for_user_principal.toml
+++ b/rules/integrations/azure/collection_entra_auth_broker_sharepoint_access_for_user_principal.toml
@@ -37,7 +37,7 @@ note = """## Triage and analysis
 
 This rule identifies non-interactive sign-ins to SharePoint Online via the Microsoft Authentication Broker application using a refresh token or Primary Refresh Token (PRT). This type of activity may indicate token replay attacks, OAuth abuse, or automated access from previously consented apps or stolen sessions.
 
-This is a [New Terms rule](https://www.elastic.co/guide/en/security/current/new-terms-rules.html) that detects the first occurrence of a user principal name accessing SharePoint Online via the Microsoft Authentication Broker application in the last 14 days.
+This is a [New Terms rule](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) that detects the first occurrence of a user principal name accessing SharePoint Online via the Microsoft Authentication Broker application in the last 14 days.
 
 ### Possible Investigation Steps:
 

From 3ca593639a485a3f587b2cc63618e6d7e954d4e4 Mon Sep 17 00:00:00 2001
From: Shashank K S <Shashank.Suryanarayana@elastic.co>
Date: Wed, 7 May 2025 16:51:45 +0530
Subject: [PATCH 2/2] Updated Date

---
 ..._entra_auth_broker_sharepoint_access_for_user_principal.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/integrations/azure/collection_entra_auth_broker_sharepoint_access_for_user_principal.toml b/rules/integrations/azure/collection_entra_auth_broker_sharepoint_access_for_user_principal.toml
index f83dc92298b..30b7a44a46f 100644
--- a/rules/integrations/azure/collection_entra_auth_broker_sharepoint_access_for_user_principal.toml
+++ b/rules/integrations/azure/collection_entra_auth_broker_sharepoint_access_for_user_principal.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/05/01"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/05/01"
+updated_date = "2025/05/07"
 
 [rule]
 author = ["Elastic"]