From f5d2175c7716218eb2a4fd7747f0d181dc125bf4 Mon Sep 17 00:00:00 2001
From: Anton W <116081795+AntonWilloughby@users.noreply.github.com>
Date: Tue, 25 Feb 2025 12:05:15 -0500
Subject: [PATCH] Update
 attack-surface-reduction-rules-deployment-operationalize.md

Syntax error in one of the KQL examples preventing query from running and throwing error message.
---
 .../attack-surface-reduction-rules-deployment-operationalize.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/defender-endpoint/attack-surface-reduction-rules-deployment-operationalize.md b/defender-endpoint/attack-surface-reduction-rules-deployment-operationalize.md
index cad668f09a..ede02fc8b2 100644
--- a/defender-endpoint/attack-surface-reduction-rules-deployment-operationalize.md
+++ b/defender-endpoint/attack-surface-reduction-rules-deployment-operationalize.md
@@ -73,7 +73,7 @@ If you want to focus on the AsrOfficeChildProcess rule and get details on the ac
 
 ```kusto
 DeviceEvents
-| where (Actiontype startswith "AsrOfficechild")
+| where (ActionType startswith "AsrOfficechild")
 | extend RuleId=extractjson("$Ruleid", AdditionalFields, typeof(string))
 | project DeviceName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
 ```