From 8c0c0575a98772cca17d37a927a52c5d6692c60f Mon Sep 17 00:00:00 2001
From: mvelazco <mauricio.velazco@gmail.com>
Date: Thu, 9 Nov 2023 16:55:36 -0500
Subject: [PATCH] updating hunting query

---
 .../azure_ad_multi_source_failed_authentications_spike.yml   | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml b/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml
index fdd93d2ad1..a0b471a1f6 100644
--- a/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml
+++ b/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml
@@ -38,11 +38,6 @@ tags:
   - T1110
   - T1110.003
   - T1110.004
-  observable:
-  - name: src_ip
-    type: IP Address
-    role:
-    - Attacker
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security