diff --git a/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml b/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml
index 8766f39fcf6..da1197ef7a0 100644
--- a/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml
+++ b/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/09/01"
 integration = ["azure", "o365"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/12/05"
 
 [rule]
 author = ["Elastic"]
@@ -87,8 +87,8 @@ query = '''
 event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and
   (
     azure.activitylogs.operation_name:"Consent to application" or
-    azure.auditlogs.operation_name:"Consent to application" or
-    o365.audit.Operation:"Consent to application."
+    azure.auditlogs.operation_name:"Consent to application" or 
+    event.action:"Consent to application."
   ) and
   event.outcome:(Success or success)
 '''