diff --git a/rule-packs/sophos-endpoint-security.json b/rule-packs/sophos-endpoint-security.json
index 2f8410a..4725dd1 100644
--- a/rule-packs/sophos-endpoint-security.json
+++ b/rule-packs/sophos-endpoint-security.json
@@ -5,7 +5,7 @@
     "queries": [
       {
         "name": "query0",
-        "query": "FIND Device !PROTECTS << sophos_endpoint",
+        "query": "FIND Device THAT !PROTECTS << sophos_endpoint",
         "version": "v1"
       }
     ],
@@ -17,7 +17,7 @@
     "queries": [
       {
         "name": "query0",
-        "query": "Find sophos_endpoint that !HAS User THAT IS Person THAT IS okta_user|azure_user|google_user",
+        "query": "FIND sophos_endpoint that !HAS User THAT IS Person THAT IS (okta_user|azure_user|google_user)",
         "version": "v1"
       }
     ],
@@ -29,7 +29,7 @@
     "queries": [
       {
         "name": "query0",
-        "query": "FIND sophos_endpoint with tamperProtectionEnabled != true ",
+        "query": "FIND sophos_endpoint WITH tamperProtectionEnabled != true",
         "version": "v1"
       }
     ],
@@ -41,7 +41,7 @@
     "queries": [
       {
         "name": "query0",
-        "query": "FIND sophos_endpoint with lockdownStatus != ('installing' or 'registering' or 'starting' or 'stopping' or 'unlocked')",
+        "query": "FIND sophos_endpoint WITH lockdownStatus != ('installing' OR 'registering' OR 'starting' OR 'stopping' OR 'unlocked')",
         "version": "v1"
       }
     ],
@@ -53,7 +53,7 @@
     "queries": [
       {
         "name": "query0",
-        "query": "FIND sophos_endpoint with updateStatus != ('upToDate' or 'updating' or 'rebootRequired')",
+        "query": "FIND sophos_endpoint WITH updateStatus != ('upToDate' OR 'updating' OR 'rebootRequired')",
         "version": "v1"
       }
     ],
@@ -65,7 +65,7 @@
     "queries": [
       {
         "name": "query0",
-        "query": "FIND sophos_device with portsEnabled != '443'",
+        "query": "FIND sophos_device WITH portsEnabled != '443'",
         "version": "v1"
       }
     ],
@@ -89,7 +89,7 @@
     "queries": [
       {
         "name": "query0",
-        "query": "FIND sophos_endpoint WHERE policyType != undefined AND policyTypeUpToDate != true",
+        "query": "FIND sophos_endpoint WITH policyType != undefined AND policyTypeUpToDate != true",
         "version": "v1"
       }
     ],
@@ -101,7 +101,7 @@
     "queries": [
       {
         "name": "query0",
-        "query": "FIND sophos_endpoint with encryption != true",
+        "query": "FIND sophos_endpoint WITH encryption != true",
         "version": "v1"
       }
     ],
@@ -113,7 +113,7 @@
     "queries": [
       {
         "name": "query0",
-        "query": "FIND sophos_user that has a updatedAt > 30 days",
+        "query": "FIND sophos_user WITH lastActive > date.now - 30 days",
         "version": "v1"
       }
     ],
@@ -125,7 +125,7 @@
     "queries": [
       {
         "name": "query0",
-        "query": "FIND sophos_user WITH sophos_role that has permissionSet = defined",
+        "query": "FIND sophos_user THAT RELATES TO sophos_role WITH permissionSet != undefined",
         "version": "v1"
       }
     ],
@@ -137,7 +137,7 @@
     "queries": [
       {
         "name": "query0",
-        "query": "FIND sophos_endpoint_protection WHERE protected != true",
+        "query": "FIND sophos_endpoint_protection WITH protected != true",
         "version": "v1"
       }
     ],