diff --git a/Credential Access/cobalt-strike.md b/Credential Access/cobalt-strike.md
index c27e5dc3..221f18e0 100644
--- a/Credential Access/cobalt-strike.md	
+++ b/Credential Access/cobalt-strike.md	
@@ -17,7 +17,7 @@ The following query identifies accounts that have logged on to compromised endpo
 
 ```Kusto
 // Check for specific alerts
-DeviceAlertEvents 
+AlertInfo
 // Attempts to clear security event logs.
 | where Title in("Event log was cleared", 
 // List alerts flagging attempts to delete backup files.