diff --git a/rules/cloud/gcp/gcp_service_account_modified.yml b/rules/cloud/gcp/gcp_service_account_modified.yml
index 172bcc7bb..5f869897c 100644
--- a/rules/cloud/gcp/gcp_service_account_modified.yml
+++ b/rules/cloud/gcp/gcp_service_account_modified.yml
@@ -10,12 +10,12 @@ logsource:
   service: gcp.audit
 detection:
     selection:
-        gcp.audit.method_name: 
-            - *.serviceAccounts.patch
-            - *.serviceAccounts.create
-            - *.serviceAccounts.update
-            - *.serviceAccounts.patch
-            - *.serviceAccounts.enable
+        gcp.audit.method_name|endswith: 
+            - .serviceAccounts.patch
+            - .serviceAccounts.create
+            - .serviceAccounts.update
+            - .serviceAccounts.disable
+            - .serviceAccounts.enable
     condition: selection
 level: medium
 tags: