diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_network/ml/datafeed_high_count_network_denies.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_network/ml/datafeed_high_count_network_denies.json
index a4412a6d732e99..3ff28ef3d8df3d 100755
--- a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_network/ml/datafeed_high_count_network_denies.json
+++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_network/ml/datafeed_high_count_network_denies.json
@@ -13,10 +13,29 @@
           "term": {
             "event.category": "network"
           }
-        },
+        }
+      ],
+      "must": [
         {
-          "term": {
-            "event.outcome": "deny"
+          "bool": {
+            "should": [
+              {
+                "match": {
+                  "event.outcome": {
+                    "query": "deny",
+                    "operator": "OR"
+                  }
+                }
+              },
+              {
+                "match": {
+                  "event.type": {
+                    "query": "denied",
+                    "operator": "OR"
+                  }
+                }
+              }
+            ]
           }
         }
       ]