diff --git a/query/cloudwatch/log_metric_filter_root_login.sql b/query/cloudwatch/log_metric_filter_root_login.sql
index 5b6dc0a4..574c28cb 100644
--- a/query/cloudwatch/log_metric_filter_root_login.sql
+++ b/query/cloudwatch/log_metric_filter_root_login.sql
@@ -22,7 +22,7 @@ with filter_data as (
     and se ->> 'ReadWriteType' = 'All'
     and trail.log_group_arn is not null
     and filter.log_group_name = split_part(trail.log_group_arn, ':', 7)
-    and filter.filter_pattern ~ '\s*\$\.userIdentity.type\s*=\s*"Root"'
+    and filter.filter_pattern ~ '\s*\$\.userIdentity\.type\s*=\s*"Root".+\$\.userIdentity\.invokedBy NOT EXISTS.+\$\.eventType\s*!=\s*"AwsServiceEvent"'
     and alarm.metric_name = filter.metric_transformation_name
     and subscription.topic_arn = action_arn
 )