Update AWS Rule to use fieldref modifier instead of contains

[jamesc-grafana]

Summary of the Pull Request

In deploying this rule, the Grafana SecOps team discovered that the contains modifier does not reference the field that this rule is trying to reference. Instead, we discovered that there is another modifier in pySigma that will enable field referencing which is called fieldref which enables us to update pySigma-backend-loki to reflect this modifier.

Changelog

update: AWS User Login Profile Was Modified - use fieldref instead of contains modifier

Example Log Event

An (abridged) event we want to match on:

{"eventName": "UpdateLoginProfile", "userIdentity": {"arn": "arn:aws:iam::123456789012:user/OrgAdmin"}, "requestParameters": {"userName": "arn:aws:iam::123456789012:user/Alice"}}

Whereas something we don't want to detect on:

{"eventName": "UpdateLoginProfile", "userIdentity": {"arn": "arn:aws:iam::123456789012:user/Alice"}, "requestParameters": {"userName": "arn:aws:iam::123456789012:user/Alice"}}

Fixed Issues

SigmaHQ Rule Creation Conventions

• If your PR adds new rules, please consider following and applying these conventions

[nasbench]

@phantinuss I know we don't use the AWS rules but just to confirm with you. Using an unsupported modifier (internally) should be fine i suppose.