diff --git a/docs/tables/github_security_log/queries.md b/docs/tables/github_security_log/queries.md
index 957a8ce..0b372d3 100644
--- a/docs/tables/github_security_log/queries.md
+++ b/docs/tables/github_security_log/queries.md
@@ -66,7 +66,7 @@ order by
 folder: Authentication
 ```
 
-## Access Token Examples
+## Personal Access Token Examples
 
 ### Personal Access Token Creation
 
@@ -88,7 +88,7 @@ order by
 ```
 
 ```yaml
-folder: Access Token
+folder: Personal Access Token
 ```
 
 ### Personal Access Token Usage
@@ -111,72 +111,78 @@ order by
 ```
 
 ```yaml
-folder: Access Token
+folder: Personal Access Token
 ```
 
-### OAuth Application Authorizations
+### Repository-Specific Token Access
 
-Monitor OAuth application authorization events.
+Monitor personal access tokens granted access to specific repositories.
 
 ```sql
 select
   timestamp,
   action,
   actor,
-  oauth_application_name,
-  oauth_application_id
+  repositories,
+  permissions,
+  repository_selection
 from
   github_security_log
 where
-  action like 'oauth_authorization.%'
+  repositories is not null
+  and action in ('personal_access_token.access_granted', 'personal_access_token.request_created')
 order by
   timestamp desc;
 ```
 
 ```yaml
-folder: Access Token
+folder: Personal Access Token
 ```
 
-### Token Regeneration Events
+### Token Permission Changes
 
-Track when authentication tokens were regenerated.
+Track changes in token permissions using the old_value field.
 
 ```sql
 select
   timestamp,
   action,
   actor,
-  token_id,
-  tp_source_ip
+  permissions_added,
+  permissions_unchanged,
+  permissions_upgraded,
+  old_value,
+  new_value
 from
   github_security_log
 where
-  action like '%regenerate%'
+  action = 'personal_access_token.request_created'
+  and (permissions_added is not null or permissions_upgraded is not null)
 order by
   timestamp desc;
 ```
 
 ```yaml
-folder: Access Token
+folder: Personal Access Token
 ```
 
-### Repository-Specific Token Access
+## Access Token Examples
 
-Monitor personal access tokens granted access to specific repositories.
+### OAuth Application Authorizations
+
+Monitor OAuth application authorization events.
 
 ```sql
 select
   timestamp,
   action,
   actor,
-  repositories,
-  permissions,
-  repository_selection
+  oauth_application_name,
+  oauth_application_id
 from
   github_security_log
 where
-  repositories is not null
-  and action in ('personal_access_token.access_granted', 'personal_access_token.request_created')
+  action like 'oauth_authorization.%'
 order by
   timestamp desc;
 ```
@@ -185,25 +191,21 @@ order by
 folder: Access Token
 ```
 
-### Token Permission Changes
+### Token Regeneration Events
 
-Track changes in token permissions using the old_value field.
+Track when authentication tokens were regenerated.
 
 ```sql
 select
   timestamp,
   action,
   actor,
-  permissions_added,
-  permissions_unchanged,
-  permissions_upgraded,
-  old_value,
-  new_value
+  token_id,
+  tp_source_ip
 from
   github_security_log
 where
-  action = 'personal_access_token.request_created'
-  and (permissions_added is not null or permissions_upgraded is not null)
+  action like '%regenerate%'
 order by
   timestamp desc;
 ```