diff --git a/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml b/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml
index 513e00888..6dad3ef82 100644
--- a/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml
+++ b/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml
@@ -13,12 +13,12 @@ logsource:
   service: x509
 detection:
   selection:
-    certificate_serial: 8bb00ee
+    certificate.serial: 8bb00ee
   condition: selection
 fields:
-    - san_dns
-    - certificate_subject
-    - certificate_issuer
+    - san.dns
+    - certificate.subject
+    - certificate.issuer
 falsepositives:
     - none
 level: high