diff --git a/hunting/aws/docs/iam_unusual_default_aviatrix_role_activity.md b/hunting/aws/docs/iam_unusual_default_aviatrix_role_activity.md
index 3802a1ecc89..9843b8d154f 100644
--- a/hunting/aws/docs/iam_unusual_default_aviatrix_role_activity.md
+++ b/hunting/aws/docs/iam_unusual_default_aviatrix_role_activity.md
@@ -22,7 +22,7 @@ from logs-aws.cloudtrail-*
     and aws.cloudtrail.user_identity.arn like "*aviatrix-role*"
 | stats activity_counts = count(*) by event.provider, event.action, aws.cloudtrail.user_identity.arn
 | where activity_counts < 10
-| sort by activity_counts asc
+| sort activity_counts asc
 ```
 
 ## Notes
diff --git a/hunting/aws/queries/iam_unusual_default_aviatrix_role_activity.toml b/hunting/aws/queries/iam_unusual_default_aviatrix_role_activity.toml
index 92bd247ae9a..69298a5743b 100644
--- a/hunting/aws/queries/iam_unusual_default_aviatrix_role_activity.toml
+++ b/hunting/aws/queries/iam_unusual_default_aviatrix_role_activity.toml
@@ -25,5 +25,5 @@ from logs-aws.cloudtrail-*
     and aws.cloudtrail.user_identity.arn like "*aviatrix-role*"
 | stats activity_counts = count(*) by event.provider, event.action, aws.cloudtrail.user_identity.arn
 | where activity_counts < 10
-| sort by activity_counts asc
-''']
\ No newline at end of file
+| sort activity_counts asc
+''']