diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml
index e686dbac6..7cfe58171 100644
--- a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml
+++ b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml
@@ -31,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa
 authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'
 """
 
-
 [rule]
 author = ["Elastic"]
 description = """
@@ -100,9 +99,14 @@ This rule identifies potential password guessing/brute force activity from a sin
 
 ## Setup
 
-If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+- In some cases the source network address in Windows events 4625/4624 is not populated due to Microsoft logging limitations (examples in the references links). This edge case will break the rule condition and it won't trigger an alert.
 """
-references = ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625"]
+references = [
+  "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", 
+  "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624", 
+  "https://social.technet.microsoft.com/Forums/ie/en-US/c82ac4f3-a235-472c-9fd3-53aa646cfcfd/network-information-missing-in-event-id-4624?forum=winserversecurity",
+  "https://serverfault.com/questions/379092/remote-desktop-failed-logon-event-4625-not-logging-ip-address-on-2008-terminal-s/403638#403638",
+]
 risk_score = 47
 rule_id = "48b6edfc-079d-4907-b43c-baffa243270d"
 severity = "medium"