diff --git a/Discovery/qakbot-campaign-esentutl.md b/Discovery/qakbot-campaign-esentutl.md
index 00da7416..155b2bc2 100644
--- a/Discovery/qakbot-campaign-esentutl.md
+++ b/Discovery/qakbot-campaign-esentutl.md
@@ -10,11 +10,10 @@ The following query detects possible use of the system process, *esentutl.exe*,
 
 ```Kusto
 DeviceProcessEvents
-| where FileName == "esentutl.exe"
-| where ProcessCommandLine has "WebCache"
-| where ProcessCommandLine has_any ("V01", "/s", "/d")
-| project ProcessCommandLine, 
-InitiatingProcessParentFileName, DeviceId, Timestamp
+| where FileName =~ "esentutl.exe"
+| where ProcessCommandLine contains "WebCache"
+| where ProcessCommandLine contains "V01" or ProcessCommandLine contains @"/s" or ProcessCommandLine contains @"/d"
+| project ProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp
 ```
 
 ## Category