diff --git a/detections/cloud/o365_multi_source_failed_authentications_spike.yml b/detections/cloud/o365_multi_source_failed_authentications_spike.yml
index f4a958da9b..c0065c47d2 100644
--- a/detections/cloud/o365_multi_source_failed_authentications_spike.yml
+++ b/detections/cloud/o365_multi_source_failed_authentications_spike.yml
@@ -35,11 +35,6 @@ tags:
   - T1110
   - T1110.003
   - T1110.004
-  observable:
-  - name: src_ip
-    type: IP Address
-    role:
-    - Attacker
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security