diff --git a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml
index 906d0606e..71e355c47 100644
--- a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml
+++ b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/04"
 maturity = "production"
-updated_date = "2021/07/20"
+updated_date = "2021/08/30"
 integration = "azure"
 
 [rule]
@@ -34,7 +34,7 @@ type = "query"
 
 query = '''
 event.dataset:azure.signinlogs and
-  azure.signinlogs.properties.risk_level_during_signin:high and
+  (azure.signinlogs.properties.risk_level_during_signin:high or azure.signinlogs.properties.risk_level_aggregated:high) and
   event.outcome:(success or Success)
 '''