diff --git a/rules/cross-platform/credential_access_multi_could_secrets_via_api.toml b/rules/cross-platform/credential_access_multi_could_secrets_via_api.toml
index f2693ff65..d68609bc6 100644
--- a/rules/cross-platform/credential_access_multi_could_secrets_via_api.toml
+++ b/rules/cross-platform/credential_access_multi_could_secrets_via_api.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/12/01"
 integration = ["aws", "gcp", "azure"]
 maturity = "production"
-updated_date = "2025/12/01"
+updated_date = "2026/01/12"
 
 [rule]
 author = ["Elastic"]
@@ -109,17 +109,15 @@ timestamp_override = "event.ingested"
 type = "esql"
 
 query = '''
-FROM logs-azure.platformlogs-*, logs-azure.activitylogs-*, logs-aws.cloudtrail-*, logs-gcp.audit-* METADATA _id, _version, _index
+FROM logs-* METADATA _id, _version, _index
 | WHERE 
   ( 
     /* AWS Secrets Manager */ 
     (event.dataset == "aws.cloudtrail" AND event.provider == "secretsmanager.amazonaws.com" AND event.action == "GetSecretValue") OR 
+    
     // Azure Key Vault (platform logs)
     (event.dataset == "azure.platformlogs" AND event.action IN ("SecretGet", "KeyGet")) or 
-    /* Azure Key Vault (activity logs) */ 
-    (event.dataset == "azure.activitylogs" AND azure.activitylogs.operation_name IN ("MICROSOFT.KEYVAULT/VAULTS/SECRETS/LIST", "MICROSOFT.KEYVAULT/VAULTS/SECRETS/GET")) OR 
-    /* Azure Managed HSM secret */ 
-    (event.dataset == "azure.activitylogs" AND azure.activitylogs.operation_name LIKE "MICROSOFT.KEYVAULT/managedHSM/keys/*") OR 
+    
     /* Google Secret Manager */ 
     (event.dataset IN ("googlecloud.audit", "gcp.audit") AND 
      event.action IN ("google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion", "google.cloud.secretmanager.v1.SecretManagerService.GetSecretRequest"))
@@ -129,13 +127,12 @@ FROM logs-azure.platformlogs-*, logs-azure.activitylogs-*, logs-aws.cloudtrail-*
     COALESCE(
       client.user.id,
       aws.cloudtrail.user_identity.arn,
-      azure.platformlogs.identity.claim.upn,
       NULL
     )
 // Cloud vendor label based on dataset
 | EVAL Esql.cloud_vendor = CASE(
     event.dataset == "aws.cloudtrail", "aws",
-    event.dataset IN ("azure.platformlogs","azure.activitylogs"), "azure",
+    event.dataset == "azure.platformlogs", "azure",
     event.dataset IN ("googlecloud.audit","gcp.audit"), "gcp",
     "unknown"
   )
@@ -167,7 +164,6 @@ FROM logs-azure.platformlogs-*, logs-azure.activitylogs-*, logs-aws.cloudtrail-*
     Esql_priv.user_values = VALUES(Esql_priv.user_id),
     Esql_priv.client_user_id_values = VALUES(client.user.id),
     Esql_priv.aws_user_identity_arn_values = VALUES(aws.cloudtrail.user_identity.arn),
-    Esql_priv.azure_upn_values = VALUES(azure.platformlogs.identity.claim.upn),
     // Namespace values
     Esql.data_stream_namespace_values = VALUES(data_stream.namespace)
   BY source.ip