diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json
index 213bdc3f9e2..6e8f7342aac 100644
--- a/detection_rules/etc/non-ecs-schema.json
+++ b/detection_rules/etc/non-ecs-schema.json
@@ -69,6 +69,7 @@
     "process.Ext.token.integrity_level_name": "keyword",
     "process.parent.Ext.real.pid": "long",
     "process.Ext.effective_parent.executable": "keyword",
+    "process.Ext.effective_parent.entity_id": "keyword",
     "process.Ext.effective_parent.name": "keyword",
     "file.Ext.header_bytes": "keyword",
     "file.Ext.entropy": "long",
diff --git a/rules/windows/collection_email_outlook_mailbox_via_com.toml b/rules/windows/collection_email_outlook_mailbox_via_com.toml
index 6999edfe0cc..feb34e149a7 100644
--- a/rules/windows/collection_email_outlook_mailbox_via_com.toml
+++ b/rules/windows/collection_email_outlook_mailbox_via_com.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/01/11"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/06/20"
 
 [rule]
 author = ["Elastic"]
@@ -43,9 +43,9 @@ sequence with maxspan=1m
       (process.Ext.relative_file_creation_time <= 500 or process.Ext.relative_file_name_modify_time <= 500)
     )
   )
-] by process.executable
+] by process.entity_id
 [process where host.os.type == "windows" and event.action == "start" and process.name : "OUTLOOK.EXE" and
-  process.Ext.effective_parent.name != null] by process.Ext.effective_parent.executable
+  process.Ext.effective_parent.name != null] by process.Ext.effective_parent.entity_id
 '''