diff --git a/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml b/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml
index fdd93d2ad1..a0b471a1f6 100644
--- a/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml
+++ b/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml
@@ -38,11 +38,6 @@ tags:
   - T1110
   - T1110.003
   - T1110.004
-  observable:
-  - name: src_ip
-    type: IP Address
-    role:
-    - Attacker
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security