diff --git a/rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml
index a63b5e210..4a5bc1124 100644
--- a/rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml
+++ b/rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/08/19"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/05/18"
 
 [rule]
-author = ["Elastic"]
+author = ["Elastic", "@BenB196", "Austin Songer"]
 description = """
 Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute
 force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy
@@ -47,6 +47,6 @@ name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
 
 [rule.threshold]
-field = ["okta.actor.id"]
+field = ["okta.actor.alternate_id"]
 value = 3