diff --git a/rules_building_block/discovery_userdata_request_from_ec2_instance.toml b/rules_building_block/discovery_userdata_request_from_ec2_instance.toml
index 7bdcee77c..b00fc3db0 100644
--- a/rules_building_block/discovery_userdata_request_from_ec2_instance.toml
+++ b/rules_building_block/discovery_userdata_request_from_ec2_instance.toml
@@ -4,7 +4,7 @@ integration = ["aws"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.9.0"
-updated_date = "2024/04/14"
+updated_date = "2024/06/10"
 
 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ gather sensitive data from the instance or to identify potential vulnerabilities
 does not generate an alert on its own, but serves as a signal for anomalous activity.
 """
 from = "now-119m"
-index = ["filebeat-*", "logs.aws.cloudtrail-*"]
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 interval = "60m"
 language = "kuery"
 license = "Elastic License v2"