diff --git a/rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml b/rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml
index a15d92086ad..39c54e4f149 100644
--- a/rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml
+++ b/rules/integrations/aws/credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/07/20"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/01/10"
+updated_date = "2025/11/04"
 
 [rule]
 author = ["Elastic"]
@@ -70,7 +70,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-any where event.dataset == "aws.cloudtrail"
+iam where event.dataset == "aws.cloudtrail"
    and event.action == "AttachUserPolicy"
    and event.outcome == "success"
    and stringContains(aws.cloudtrail.request_parameters, "AWSCompromisedKeyQuarantine")
@@ -89,3 +89,18 @@ id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
 
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user_agent.original",
+    "source.ip",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "event.action",
+    "event.outcome",
+    "cloud.account.id",
+    "cloud.region",
+    "aws.cloudtrail.request_parameters"
+]