diff --git a/Campaigns/apt sofacy.txt b/Campaigns/apt sofacy.txt
index 5b1ffc5..82cabee 100644
--- a/Campaigns/apt sofacy.txt	
+++ b/Campaigns/apt sofacy.txt	
@@ -1,7 +1,7 @@
 // Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_sofacy.yml
 // Questions via Twitter: @janvonkirchheim
-ProcessCreationEvents
-| where EventTime > ago(7d)
+DeviceProcessEvents
+| where Timestamp > ago(7d)
 | where ProcessCommandLine matches regex @'rundll32\.exe %APPDATA%.*\.dat",'
      or ProcessCommandLine matches regex @'rundll32\.exe %APPDATA%.*\.dll",#1'
-| top 100 by EventTime desc
+| top 100 by Timestamp desc