Skip to content

[Security Solution] Add data_stream.dataset into Packetbeat ML job queries #219412

New issue
New issue
Open
Open
[Security Solution] Add data_stream.dataset into Packetbeat ML job queries#219412
Labels
Team: SecuritySolutionSecurity Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.Team:MLTeam label for ML (also use :ml)bugFixes for quality problems that affect the customer experiencetriage_needed
@andrewkroh

Description

@andrewkroh
andrewkroh
opened on Apr 28, 2025

Describe the bug:

The network_traffic Fleet integration sets the constant_keyword data_stream.dataset field rather than event.dataset. For the jobs to work on data from Agent (and from standalone Packetbeat) they need to expand their queries. Multiple files are affected:

x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_*.json

For example:

kibana/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_packetbeat/ml/datafeed_packetbeat_rare_user_agent.json

Lines 8 to 11 in 1882697

"should": [
{ "term": { "event.dataset": "http" } },
{ "term": { "event.dataset": "network_traffic.http" } }
],

Any additional context (logs, chat logs, magical formulas, etc.):

Metadata

Metadata

Assignees

No one assigned

    Labels

    Team: SecuritySolutionSecurity Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.Team:MLTeam label for ML (also use :ml)bugFixes for quality problems that affect the customer experiencetriage_needed

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions