From a2a9426c05b89ec2320b3a2e589d01b21aac2fe2 Mon Sep 17 00:00:00 2001
From: James Gowdy <jgowdy@elastic.co>
Date: Wed, 6 May 2020 09:56:09 +0100
Subject: [PATCH] [ML] Fix packetbeat module query (#65241) (#65357)

---
 .../siem_packetbeat/ml/datafeed_packetbeat_rare_user_agent.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/datafeed_packetbeat_rare_user_agent.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/datafeed_packetbeat_rare_user_agent.json
index c5938aa200cd..5986c326ea80 100644
--- a/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/datafeed_packetbeat_rare_user_agent.json
+++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/datafeed_packetbeat_rare_user_agent.json
@@ -7,7 +7,7 @@
   "query": {
     "bool": {
       "filter": [
-        {"term": {"event.dataset": "dns"}},
+        {"term": {"event.dataset": "http"}},
         {"term": {"agent.type": "packetbeat"}}
       ],
       "must_not": [