diff --git a/rules/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
index fc883bca4..3a04c2170 100644
--- a/rules/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
+++ b/rules/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
@@ -1,13 +1,13 @@
 [metadata]
 creation_date = "2020/08/19"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/05/12"
 
 [rule]
-author = ["Elastic"]
+author = ["Elastic", "@BenB196", "Austin Songer"]
 description = """
-Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain
-unauthorized access to an Okta user account using these methods and attempt to blend in with normal activity in their
+Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain 
+unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their 
 target's environment and evade detection.
 """
 false_positives = [
@@ -82,6 +82,7 @@ name = "Initial Access"
 reference = "https://attack.mitre.org/tactics/TA0001/"
 
 [rule.threshold]
-field = ["okta.actor.id"]
+field = ["okta.actor.alternate_id"]
 value = 5
 
+