From 7ccb773b20ee2494e62279f3484c7b08f5a1f889 Mon Sep 17 00:00:00 2001
From: Rachel Rice <rachel.rice@lacework.net>
Date: Thu, 2 Sep 2021 17:37:41 +0100
Subject: [PATCH] Update AWS Update Login Profile rule

Update selection criteria for AWS Update Login Profile rule to check for mismatch between userIdentity.arn and requestParameters.userName.
Closes SigmaHQ/sigma#1966.
---
 rules/cloud/aws/aws_update_login_profile.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/cloud/aws/aws_update_login_profile.yml b/rules/cloud/aws/aws_update_login_profile.yml
index 8ac3ea17..6815fe2f 100644
--- a/rules/cloud/aws/aws_update_login_profile.yml
+++ b/rules/cloud/aws/aws_update_login_profile.yml
@@ -15,7 +15,7 @@ detection:
         eventSource: iam.amazonaws.com
         eventName: UpdateLoginProfile
     filter:
-        userIdentity.arn|contains: responseElements.accessKey.userName
+        userIdentity.arn|contains: requestParameters.userName
     condition: selection_source and not filter
 fields:
     - userIdentity.arn