diff --git a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
index 3b0e313266..19bcd021e5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
+++ b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
@@ -30,10 +30,10 @@ This capability is supported beginning with Windows version 1607.
 Here is a simple example query that shows all the WDAC events generated in the last seven days from machines being monitored by Microsoft Defender ATP:
 
 ```
-MiscEvents
-| where EventTime > ago(7d) and
+DeviceEvents
+| where Timestamp > ago(7d) and
 ActionType startswith "AppControl"
-| summarize Machines=dcount(ComputerName) by ActionType
+| summarize Machines=dcount(DeviceName) by ActionType
 | order by Machines desc
 ```