diff --git a/Detections/MultipleDataSources/SuspiciousAWSCLICommandExecution.yaml b/Detections/MultipleDataSources/SuspiciousAWSCLICommandExecution.yaml
index 9c923f8e4eb..c5fd0f51811 100644
--- a/Detections/MultipleDataSources/SuspiciousAWSCLICommandExecution.yaml
+++ b/Detections/MultipleDataSources/SuspiciousAWSCLICommandExecution.yaml
@@ -49,5 +49,9 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: SourceIpAddress
+customDetails:
+   SuspiciousCommand: commands
+   AWSUser: UserIdentityUserName
+   AWSUserIp: SourceIpAddress
 kind: Scheduled
 version: 1.0.0