diff --git a/dns/elasticbeantalk-takeover-detection.yaml b/dns/elasticbeantalk-takeover-detection.yaml
deleted file mode 100644
index a4b596bf90..0000000000
--- a/dns/elasticbeantalk-takeover-detection.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-id: elasticbeantalk-takeover-detection
-
-info:
-  name: Elastic BeanTalk takeover detection
-  author: philippedelteil
-  severity: high
-  reference:
-    - https://github.com/EdOverflow/can-i-take-over-xyz/issues/147
-    - https://twitter.com/payloadartist/status/1362035009863880711
-    - https://www.youtube.com/watch?v=srKIqhj_ki8
-  tags: dns,takeover,aws
-
-dns:
-  - name: "{{FQDN}}"
-    type: A
-    class: inet
-    recursion: true
-    retries: 3
-    matchers-condition: and
-    matchers:
-      - type: word
-        words:
-          - "elasticbeanstalk"
-      - type: word
-        words:
-          - "NXDOMAIN"
diff --git a/dns/elasticbeantalk-takeover.yaml b/dns/elasticbeantalk-takeover.yaml
new file mode 100644
index 0000000000..8a06147859
--- /dev/null
+++ b/dns/elasticbeantalk-takeover.yaml
@@ -0,0 +1,45 @@
+id: elasticbeantalk-takeover
+
+info:
+  name: ElasticBeanTalk takeover detection
+  author: philippedelteil,rotemreiss
+  severity: high
+  reference:
+    - https://github.com/EdOverflow/can-i-take-over-xyz/issues/147 # kudos to @m7mdharoun for sharing process details.
+    - https://twitter.com/payloadartist/status/1362035009863880711
+    - https://www.youtube.com/watch?v=srKIqhj_ki8
+  tags: dns,takeover,aws
+  additional-fields:
+    comments: |
+      Only CNAMEs with region specification are hijackable.
+      You need to claim the CNAME in AWS portal (https://aws.amazon.com/) or via AWS CLI to confirm the takeover.
+      Do not report this without claiming the CNAME.
+      CLI command to verify the availability of the environment:
+      aws elasticbeanstalk check-dns-availability --region {AWS_REGION} --cname-prefix {CNAME_PREFIX}
+      For example:
+      CNAME - 2rs3c.eu-west-1.elasticbeanstalk.com
+      Command - aws elasticbeanstalk check-dns-availability --region eu-west-1 --cname-prefix 2rs3c
+
+dns:
+  - name: "{{FQDN}}"
+    type: A
+    class: inet
+    recursion: true
+    retries: 3
+
+    matchers-condition: and
+    matchers:
+
+      - type: regex
+        regex:
+          - \.(us|af|ap|ca|eu|me|sa)\-(east|west|south|northeast|southeast|central)\-[1-9]+\.elasticbeanstalk\.com
+
+      - type: word
+        words:
+          - "NXDOMAIN"
+
+    extractors:
+      - type: regex
+        group: 1
+        regex:
+          - "IN\tCNAME\t(.+)"