diff --git a/detection_rules/eswrap.py b/detection_rules/eswrap.py
index 77968723e..b8a6d1ab6 100644
--- a/detection_rules/eswrap.py
+++ b/detection_rules/eswrap.py
@@ -336,7 +336,7 @@ class CollectRtaEvents(CollectEvents):
     def run(self, dsl, indexes, start_time):
         """Collect the events."""
         results = self.search(dsl, language='dsl', index=indexes, start_time=start_time, end_time='now', size=5000,
-                              sort='@timestamp:asc')
+                              sort=[{'@timestamp': {'order': 'asc'}}])
         events = self._group_events_by_type(results)
         return RtaEvents(events)