per integrations team guidance use data_stream.dataset instead of event.dataset

Author: Mikaayenson

detection_rules/beats.py

@@ -267,15 +267,21 @@ def get_datasets_and_modules(tree: eql.ast.BaseNode | kql.ast.BaseNode) -> tuple
                 modules.add(node.right.render())  # type: ignore[reportUnknownMemberType]
             elif node.left == eql.ast.Field("event", ["dataset"]):
                 datasets.add(node.right.render())  # type: ignore[reportUnknownMemberType]
+            elif node.left == eql.ast.Field("data_stream", ["dataset"]):
+                datasets.add(node.right.render())  # type: ignore[reportUnknownMemberType]
         elif isinstance(node, eql.ast.InSet):
             if node.expression == eql.ast.Field("event", ["module"]):
                 modules.update(node.get_literals())  # type: ignore[reportUnknownMemberType]
             elif node.expression == eql.ast.Field("event", ["dataset"]):
                 datasets.update(node.get_literals())  # type: ignore[reportUnknownMemberType]
+            elif node.expression == eql.ast.Field("data_stream", ["dataset"]):
+                datasets.update(node.get_literals()). # type: ignore[reportUnknownMemberType]
         elif isinstance(node, kql.ast.FieldComparison) and node.field == kql.ast.Field("event.module"):  # type: ignore[reportUnknownMemberType]
             modules.update(child.value for child in node.value if isinstance(child, kql.ast.String))  # type: ignore[reportUnknownMemberType, reportUnknownVariableType]
         elif isinstance(node, kql.ast.FieldComparison) and node.field == kql.ast.Field("event.dataset"):  # type: ignore[reportUnknownMemberType]
             datasets.update(child.value for child in node.value if isinstance(child, kql.ast.String))  # type: ignore[reportUnknownMemberType, reportUnknownVariableType]
+        elif isinstance(node, kql.ast.FieldComparison) and node.field == kql.ast.Field("data_stream.dataset"):  # type: ignore[reportUnknownMemberType]
+            datasets.update(child.value for child in node.value if isinstance(child, kql.ast.String))  # type: ignore[reportUnknownMemberType]
 
     return datasets, modules
 

rules/promotions/crowdstrike_external_alerts.toml

@@ -61,7 +61,7 @@ This rule is designed to capture alert events generated by the CrowdStrike integ
 
 To capture CrowdStrike alerts, install and configure the CrowdStrike integration to ingest alert events into the `logs-crowdstrike.alert-*` index pattern.
 
-If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same CrowdStrike events. Consider adding a rule exception for the External Alert rule to exclude event.dataset:crowdstrike.alert to avoid receiving duplicate alerts.
+If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same CrowdStrike events. Consider adding a rule exception for the External Alert rule to exclude data_stream.dataset:crowdstrike.alert to avoid receiving duplicate alerts.
 
 ### Additional notes
 
@@ -73,7 +73,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.kind: alert and event.dataset: crowdstrike.alert
+event.kind: alert and data_stream.dataset: crowdstrike.alert
 '''
 
 [[rule.risk_score_mapping]]

rules/promotions/elastic_security_external_alerts.toml

@@ -64,7 +64,7 @@ This rule is designed to capture alert events generated by the Elastic Security
 
 To capture Elastic Security alerts, install and configure the Elastic Security integration to ingest alert events into the `logs-elastic_security.alert-*` index pattern.
 
-If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same Elastic Security events. Consider adding a rule exception for the External Alert rule to exclude event.dataset:elastic_security.alert to avoid receiving duplicate alerts.
+If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same Elastic Security events. Consider adding a rule exception for the External Alert rule to exclude data_stream.dataset:elastic_security.alert to avoid receiving duplicate alerts.
 
 ### Additional notes
 
@@ -76,7 +76,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.kind: alert and event.dataset: elastic_security.alert
+event.kind: alert and data_stream.dataset: elastic_security.alert
 '''
 
 

rules/promotions/google_secops_external_alerts.toml

@@ -63,7 +63,7 @@ This rule is designed to capture alert events generated by the Google SecOps int
 
 To capture Google SecOps alerts, install and configure the Google SecOps integration to ingest alert events into the `logs-google_secops.alert-*` index pattern.
 
-If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same SecOps events. Consider adding a rule exception for the External Alert rule to exclude event.dataset:google_secops.alert to avoid receiving duplicate alerts.
+If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same SecOps events. Consider adding a rule exception for the External Alert rule to exclude data_stream.dataset:google_secops.alert to avoid receiving duplicate alerts.
 
 ### Additional notes
 
@@ -75,7 +75,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.kind: alert and event.dataset: google_secops.alert
+event.kind: alert and data_stream.dataset: google_secops.alert
 '''
 
 [[rule.risk_score_mapping]]

rules/promotions/microsoft_sentinel_external_alerts.toml

@@ -62,7 +62,7 @@ This rule is designed to capture alert events generated by the Microsoft Sentine
 
 To capture Microsoft Sentinel alerts, install and configure the Microsoft Sentinel integration to ingest alert events into the `logs-microsoft_sentinel.alert-*` index pattern.
 
-If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same Sentinel events. Consider adding a rule exception for the External Alert rule to exclude event.dataset:(sentinel_one.alert or sentinel_one.threat) to avoid receiving duplicate alerts.
+If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same Sentinel events. Consider adding a rule exception for the External Alert rule to exclude data_stream.dataset:microsoft_sentinel.alert to avoid receiving duplicate alerts.
 
 ### Additional notes
 
@@ -74,7 +74,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.kind: alert and event.dataset: microsoft_sentinel.alert
+event.kind: alert and data_stream.dataset: microsoft_sentinel.alert
 '''
 
 [[rule.risk_score_mapping]]

rules/promotions/sentinelone_external_alerts.toml

@@ -63,7 +63,7 @@ This rule is designed to capture alert events generated by the SentinelOne integ
 
 To capture SentinelOne alerts, install and configure the SentinelOne integration to ingest alert events into the `logs-sentinel_one.alert-*` index pattern.
 
-If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same SentinelOne events. Consider adding a rule exception for the External Alert rule to exclude event.dataset:microsoft_sentinel.alert to avoid receiving duplicate alerts.
+If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same SentinelOne events. Consider adding a rule exception for the External Alert rule to exclude datastream.dataset: (sentinel_one.alert or sentinel_one.threat) to avoid receiving duplicate alerts.
 
 ### Additional notes
 
@@ -75,7 +75,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.kind: alert and event.dataset: (sentinel_one.alert or sentinel_one.threat)
+event.kind: alert and data_stream.dataset: sentinel_one.threat or event.kind: event and data_stream.dataset: sentinel_one.alert
 '''
 
 

rules/promotions/splunk_external_alerts.toml

@@ -63,7 +63,7 @@ This rule is designed to capture alert events generated by the Splunk integratio
 
 To capture Splunk alerts, install and configure the Splunk integration to ingest alert events into the `logs-splunk.alert-*` index pattern.
 
-If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same Splunk events. Consider adding a rule exception for the External Alert rule to exclude event.module:splunk to avoid receiving duplicate alerts.
+If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same Splunk events. Consider adding a rule exception for the External Alert rule to exclude data_stream.dataset:splunk.alert to avoid receiving duplicate alerts.
 
 ### Additional notes
 
@@ -75,7 +75,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.kind: alert and event.module: splunk
+event.kind: alert and data_stream.dataset: splunk.alert
 '''