diff --git a/defender-endpoint/attack-surface-reduction-rules-deployment-operationalize.md b/defender-endpoint/attack-surface-reduction-rules-deployment-operationalize.md
index cad668f09a..ede02fc8b2 100644
--- a/defender-endpoint/attack-surface-reduction-rules-deployment-operationalize.md
+++ b/defender-endpoint/attack-surface-reduction-rules-deployment-operationalize.md
@@ -73,7 +73,7 @@ If you want to focus on the AsrOfficeChildProcess rule and get details on the ac
 
 ```kusto
 DeviceEvents
-| where (Actiontype startswith "AsrOfficechild")
+| where (ActionType startswith "AsrOfficechild")
 | extend RuleId=extractjson("$Ruleid", AdditionalFields, typeof(string))
 | project DeviceName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
 ```