diff --git a/rules/cloud/aws_enum_listing.yml b/rules/cloud/aws_enum_listing.yml
index c4e8eb45..213aad86 100644
--- a/rules/cloud/aws_enum_listing.yml
+++ b/rules/cloud/aws_enum_listing.yml
@@ -10,8 +10,9 @@ detection:
     selection_eventname:
         - eventName: list*
     timeframe: 10m
-    condition: count() by userIdentity.arn > 50  
-
+    condition: count() by "userIdentity.arn" > 50  
+fields:
+    - userIdentity.arn
 falsepositives:
     - AWS Config or other configuration scanning activities
 level: low