O365 Exchange Suspicious Mailbox Right Delegation with wrong user.id?

Hey everyone! We have enabled the Elastic Rule O365 Exchange Suspicious Mailbox Right Delegation. We enabled the default query which can seen below.

event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and
o365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and
not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)"

We have noticed within our environment that o365 logs contain the user.id

NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)

and not (Which is in the default rule query)

NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)

Would it be possible for someone in the community to validate if their user.id contains a lower case or capital H? We are trying to determine if the default is incorrect or if it is just for our environment.

If you google for that string both variants shows up, example:

High-Severity Alert - NT AUTHORITY\SYSTEM - Collaboration - Spiceworks Community

A low severity alert has been triggered | Microsoft Community Hub

Please check [Bug] O365 Exchange Suspicious Mailbox Right Delegation - False Positives for "NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost)" · Issue #3702 · elastic/detection-rules · GitHub

This seems related.