diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json
index eff3dd0ab1400..d9455ab7d5b3e 100644
--- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json
+++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json
@@ -9,7 +9,7 @@
   "language": "kuery",
   "max_signals": 100,
   "name": "Potential Shell via Web Server",
-  "query": "process.name: bash and user.name: (apache or www or \"wwww-data\") and event.action:executed",
+  "query": "process.name: bash and user.name: (apache or www or \"www-data\") and event.action:executed",
   "references": [
     "https://pentestlab.blog/tag/web-shell/"
   ],