Wrong ML Job query packetbeat_rare_user_agent or missing event.dataset in network traffic data?

willemdh · April 18, 2025, 1:19pm

Hello,

The query of the managed machine learning job packetbeat_rare_user_agent doesn't match with any documents. It seems like event.dataset is not in the logs-network_traffic.http-* datastream?

{"bool":{"filter":[{"term":{"agent.type":"packetbeat"}}],"should":[{"term":{"event.dataset":"http"}},{"term":{"event.dataset":"network_traffic.http"}}],"minimum_should_match":1,"must_not":[{"wildcard":{"user_agent.original":{"value":"Mozilla*"}}}]}}

Changed the to "event.dataset" to "data_stream.dataset" and it works.

Willem

RylandHerrick · April 29, 2025, 6:44pm

@willemdh your assessment looks accurate, here: some of our newer integrations are populating data_stream.dataset instead of the earlier event.dataset, and our ML Jobs have not been updated to capture those data.

The team has filed an issue to track/update the ML job queries, but your workaround should also suffice in the interim: changing either the query or the data should address the issue.

willemdh · April 29, 2025, 6:56pm

Thanks @RylandHerrick !

Topic		Replies	Views
Packetbeat Rare DNS Questions ML Job Customization SIEM elastic-stack-machine-learning	7	812	October 27, 2020
There seems to be a bug in 7.10.2's builtin ml job windows_rare_user_type10_remote_login Elastic Security elastic-stack-machine-learning	2	394	March 18, 2021
Elastic Machine Learning - Pre Built Rules Elasticsearch elastic-stack-machine-learning	5	397	June 18, 2022
Packetbeat_dns_tunneling ML job Bug Elastic Security	2	28	April 3, 2025
Datafeed [datafeed-packetbeat_dns_tunneling] cannot retrieve data because no index matches datafeed's indices [packetbeat-*] Kibana elastic-stack-machine-learning	16	523	July 10, 2023

Wrong ML Job query packetbeat_rare_user_agent or missing event.dataset in network traffic data?

Related topics