diff --git a/Tools/Sample Code/AzureSentinel-ManagementAPICsharp/AzureSentinel_ManagementAPI/Templates/ScheduledAlertRulePayload/ScheduledAlertRulePayload.json b/Tools/Sample Code/AzureSentinel-ManagementAPICsharp/AzureSentinel_ManagementAPI/Templates/ScheduledAlertRulePayload/ScheduledAlertRulePayload.json
index e531ed0f86..c12b54ac64 100644
--- a/Tools/Sample Code/AzureSentinel-ManagementAPICsharp/AzureSentinel_ManagementAPI/Templates/ScheduledAlertRulePayload/ScheduledAlertRulePayload.json	
+++ b/Tools/Sample Code/AzureSentinel-ManagementAPICsharp/AzureSentinel_ManagementAPI/Templates/ScheduledAlertRulePayload/ScheduledAlertRulePayload.json	
@@ -10,7 +10,7 @@
         "Persistence",
         "LateralMovement"
       ],
-      "query": "AzureActivity | where isnotempty(OperationName)",
+      "query": "AzureActivity | where isnotempty(OperationNameValue)",
       "queryFrequency": "PT1H",
       "queryPeriod": "P2DT1H30M",
       "triggerOperator": "GreaterThan",
diff --git a/Workbooks/AzureActivity.json b/Workbooks/AzureActivity.json
index 0c91fe2a1f..89785c8952 100644
--- a/Workbooks/AzureActivity.json
+++ b/Workbooks/AzureActivity.json
@@ -180,7 +180,7 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "AzureActivity\r\n| where \"{Caller:lable}\" == \"All\" or Caller in ({Caller})\r\n| where \"{ResourceGroup:lable}\" == \"All\" or ResourceGroup in ({ResourceGroup})\r\n| summarize deletions = countif(OperationName contains \"Delete\"), creations = countif(OperationName contains \"Create\"), updates = countif(OperationName contains \"Update\"), Activities = count(OperationName) by bin_at(TimeGenerated, 1h, now())\r\n",
+        "query": "AzureActivity\r\n| where \"{Caller:lable}\" == \"All\" or Caller in ({Caller})\r\n| where \"{ResourceGroup:lable}\" == \"All\" or ResourceGroup in ({ResourceGroup})\r\n| summarize deletions = countif(OperationNameValue endswith \"delete\"), creations = countif(OperationNameValue endswith \"write\"), updates = countif(OperationNameValue endswith \"write\"), Activities = count(OperationNameValue) by bin_at(TimeGenerated, 1h, now())\r\n",
         "size": 0,
         "exportToExcelOptions": "visible",
         "title": "Activities over time",
@@ -202,7 +202,7 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "AzureActivity\r\n| where \"{Caller:lable}\" == \"All\" or Caller in ({Caller})\r\n| where \"{ResourceGroup:lable}\" == \"All\" or ResourceGroup in ({ResourceGroup})\r\n| summarize deletions = countif(OperationName contains \"Delete\"), creations = countif(OperationName contains \"Create\"), updates = countif(OperationName contains \"Update\"), Activities = count() by Caller\r\n",
+        "query": "AzureActivity\r\n| where \"{Caller:lable}\" == \"All\" or Caller in ({Caller})\r\n| where \"{ResourceGroup:lable}\" == \"All\" or ResourceGroup in ({ResourceGroup})\r\n| summarize deletions = countif(OperationNameValue endswith \"Delete\"), creations = countif(OperationNameValue endswith \"write\"), updates = countif(OperationNameValue endswith \"write\"), Activities = count() by Caller\r\n",
         "size": 1,
         "exportToExcelOptions": "visible",
         "title": "Caller activities",