diff --git a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml
index 575ba4890..34a157ec8 100644
--- a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml
+++ b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/05/17"
 maturity = "production"
-updated_date = "2021/10/11"
+updated_date = "2021/12/30"
 integration = "o365"
 
 [rule]
@@ -32,7 +32,7 @@ type = "threshold"
 
 
 query = '''
-event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:web and o365.audit.LogonError:"SsoArtifactInvalidOrExpired"
+event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:"SsoArtifactInvalidOrExpired"
 '''