From bfee1d4fa59a63b553cecee4528799ca0f838c9e Mon Sep 17 00:00:00 2001
From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date: Wed, 9 Jun 2021 17:54:08 -0400
Subject: [PATCH] Update datafeed_high_count_network_denies.json (#101681)
 (#101826)

add a boolean OR between the two possible field values

Co-authored-by: Craig Chamberlain <randomuserid@users.noreply.github.com>
---
 .../datafeed_high_count_network_denies.json   | 25 ++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_network/ml/datafeed_high_count_network_denies.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_network/ml/datafeed_high_count_network_denies.json
index a4412a6d732e99..3ff28ef3d8df3d 100755
--- a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_network/ml/datafeed_high_count_network_denies.json
+++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_network/ml/datafeed_high_count_network_denies.json
@@ -13,10 +13,29 @@
           "term": {
             "event.category": "network"
           }
-        },
+        }
+      ],
+      "must": [
         {
-          "term": {
-            "event.outcome": "deny"
+          "bool": {
+            "should": [
+              {
+                "match": {
+                  "event.outcome": {
+                    "query": "deny",
+                    "operator": "OR"
+                  }
+                }
+              },
+              {
+                "match": {
+                  "event.type": {
+                    "query": "denied",
+                    "operator": "OR"
+                  }
+                }
+              }
+            ]
           }
         }
       ]