adjusted query

rules/integrations/aws/collection_s3_unauthenticated_bucket_listing.toml

@@ -102,8 +102,10 @@ timestamp_override = "event.ingested"
 type = "new_terms"
 
 query = '''
-event.dataset:"aws.cloudtrail"
-    and event.provider:"s3.amazonaws.com" and event.action:"ListObjects"
+event.dataset: "aws.cloudtrail"
+    and event.provider: "s3.amazonaws.com"
+    and event.action: "ListObjects"
+    and event.outcome: "success"
     and aws.cloudtrail.user_identity.type: ("AWSAccount" or "Unknown")
     and cloud.account.id: "anonymous"
 '''