diff --git a/lib/helpers/rules.rb b/lib/helpers/rules.rb
index 570b69d59..715453e69 100644
--- a/lib/helpers/rules.rb
+++ b/lib/helpers/rules.rb
@@ -79,7 +79,7 @@ class Rules
         "      query_string:\n" +
         # on box as:
                 # query: "user.name: 'crackme' AND event.module: 'auditd' AND event.outcome: 'success' AND event.category: 'authentication'"
-        '        query: \"user.name: \"' + goal['account_name'] +'\' AND event.module: auditd AND event.category: authentication AND event.outcome: success\"' + "\n" +
+        '        query: "user.name: \'' + goal['account_name'] +'\' AND event.module: \'auditd\' AND event.category: \'authentication\' AND event.outcome: \'success"' + "\n" +
         "alert:\n" +
         "  - \"elastalert.modules.alerter.exec.ExecAlerter\"\n" +
         "command: [\"/usr/bin/ruby\", \"/opt/alert_actioner/alert_router.rb\"]\n" +