From f1dee060b644956d67a23aecfa2f782fd1adf1c8 Mon Sep 17 00:00:00 2001
From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Date: Mon, 3 Feb 2025 21:43:02 -0500
Subject: [PATCH] [Hunt Tuning] Fixing Sort Logic in Aviatrix Hunting Query
 (#4432)

* fixing sort logic error

* Update hunting/aws/queries/iam_unusual_default_aviatrix_role_activity.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
---
 .../aws/docs/iam_unusual_default_aviatrix_role_activity.md    | 2 +-
 .../queries/iam_unusual_default_aviatrix_role_activity.toml   | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/hunting/aws/docs/iam_unusual_default_aviatrix_role_activity.md b/hunting/aws/docs/iam_unusual_default_aviatrix_role_activity.md
index 3802a1ecc89..9843b8d154f 100644
--- a/hunting/aws/docs/iam_unusual_default_aviatrix_role_activity.md
+++ b/hunting/aws/docs/iam_unusual_default_aviatrix_role_activity.md
@@ -22,7 +22,7 @@ from logs-aws.cloudtrail-*
     and aws.cloudtrail.user_identity.arn like "*aviatrix-role*"
 | stats activity_counts = count(*) by event.provider, event.action, aws.cloudtrail.user_identity.arn
 | where activity_counts < 10
-| sort by activity_counts asc
+| sort activity_counts asc
 ```
 
 ## Notes
diff --git a/hunting/aws/queries/iam_unusual_default_aviatrix_role_activity.toml b/hunting/aws/queries/iam_unusual_default_aviatrix_role_activity.toml
index 92bd247ae9a..69298a5743b 100644
--- a/hunting/aws/queries/iam_unusual_default_aviatrix_role_activity.toml
+++ b/hunting/aws/queries/iam_unusual_default_aviatrix_role_activity.toml
@@ -25,5 +25,5 @@ from logs-aws.cloudtrail-*
     and aws.cloudtrail.user_identity.arn like "*aviatrix-role*"
 | stats activity_counts = count(*) by event.provider, event.action, aws.cloudtrail.user_identity.arn
 | where activity_counts < 10
-| sort by activity_counts asc
-''']
\ No newline at end of file
+| sort activity_counts asc
+''']