From 73d9a2fcc196c133187aa2e26dfc51d39b245d04 Mon Sep 17 00:00:00 2001
From: Marty Hernandez Avedon <martyavedon@gmail.com>
Date: Wed, 14 Oct 2020 16:33:25 -0400
Subject: [PATCH] Update cobalt-strike.md

"Can you please change to AlertInfo table in MTP, the DeviceAlertEvents table is MDATP one and going to be deprecated."
---
 Credential Access/cobalt-strike.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Credential Access/cobalt-strike.md b/Credential Access/cobalt-strike.md
index c27e5dc3..221f18e0 100644
--- a/Credential Access/cobalt-strike.md	
+++ b/Credential Access/cobalt-strike.md	
@@ -17,7 +17,7 @@ The following query identifies accounts that have logged on to compromised endpo
 
 ```Kusto
 // Check for specific alerts
-DeviceAlertEvents 
+AlertInfo
 // Attempts to clear security event logs.
 | where Title in("Event log was cleared", 
 // List alerts flagging attempts to delete backup files.