diff --git a/rules/azure_signin_rules/azure_failed_signins.yml b/rules/azure_signin_rules/azure_failed_signins.yml
index 0810d7d1d..71234a6aa 100644
--- a/rules/azure_signin_rules/azure_failed_signins.yml
+++ b/rules/azure_signin_rules/azure_failed_signins.yml
@@ -20,6 +20,7 @@ Runbook: >
   Querying Sign-In logs for the ServicePrincipalName or UserPrincipalName may indicate
   that the principal is under attack, or that a sign-in credential rolled and some 
   user of the credential didn't get updated.
+Reference: https://learn.microsoft.com/en-us/entra/identity/authentication/overview-authentication
 SummaryAttributes:
   - properties:ServicePrincipalName
   - properties:UserPrincipalName