From cd7dfeeaf412a2cb8d8b534385b64a9cbe72191c Mon Sep 17 00:00:00 2001
From: David Roberts <dave.roberts@elastic.co>
Date: Tue, 15 Oct 2019 20:12:40 +0100
Subject: [PATCH] [ML] Add allow_lazy_open and max_empty_searches to SIEM jobs
 (#48238)

This change augments the SIEM jobs and datafeeds that were
added in #47848 with the allow_lazy_open and max_empty_searches
options that were added in elastic/elasticsearch#47726 and
elastic/elasticsearch#47922 respectively.
---
 .../ml/datafeed_linux_anomalous_network_activity_ecs.json      | 1 +
 .../ml/datafeed_linux_anomalous_network_port_activity_ecs.json | 3 ++-
 .../ml/datafeed_linux_anomalous_network_service.json           | 3 ++-
 .../ml/datafeed_linux_anomalous_network_url_activity_ecs.json  | 1 +
 .../ml/datafeed_linux_anomalous_process_all_hosts_ecs.json     | 1 +
 .../ml/datafeed_linux_anomalous_user_name_ecs.json             | 1 +
 .../ml/datafeed_rare_process_by_host_linux_ecs.json            | 1 +
 .../ml/datafeed_suspicious_login_activity_ecs.json             | 1 +
 .../ml/linux_anomalous_network_activity_ecs.json               | 1 +
 .../ml/linux_anomalous_network_port_activity_ecs.json          | 1 +
 .../siem_auditbeat/ml/linux_anomalous_network_service.json     | 1 +
 .../ml/linux_anomalous_network_url_activity_ecs.json           | 1 +
 .../ml/linux_anomalous_process_all_hosts_ecs.json              | 1 +
 .../siem_auditbeat/ml/linux_anomalous_user_name_ecs.json       | 1 +
 .../siem_auditbeat/ml/rare_process_by_host_linux_ecs.json      | 1 +
 .../siem_auditbeat/ml/suspicious_login_activity_ecs.json       | 1 +
 .../ml/datafeed_suspicious_login_activity_ecs.json             | 1 +
 .../siem_auditbeat_auth/ml/suspicious_login_activity_ecs.json  | 1 +
 .../siem_packetbeat/ml/datafeed_packetbeat_dns_tunneling.json  | 1 +
 .../ml/datafeed_packetbeat_rare_dns_question.json              | 1 +
 .../ml/datafeed_packetbeat_rare_server_domain.json             | 1 +
 .../siem_packetbeat/ml/datafeed_packetbeat_rare_urls.json      | 3 ++-
 .../ml/datafeed_packetbeat_rare_user_agent.json                | 3 ++-
 .../modules/siem_packetbeat/ml/packetbeat_dns_tunneling.json   | 1 +
 .../siem_packetbeat/ml/packetbeat_rare_dns_question.json       | 1 +
 .../siem_packetbeat/ml/packetbeat_rare_server_domain.json      | 1 +
 .../modules/siem_packetbeat/ml/packetbeat_rare_urls.json       | 1 +
 .../modules/siem_packetbeat/ml/packetbeat_rare_user_agent.json | 1 +
 .../ml/datafeed_rare_process_by_host_windows_ecs.json          | 1 +
 .../ml/datafeed_windows_anomalous_network_activity_ecs.json    | 1 +
 .../ml/datafeed_windows_anomalous_path_activity_ecs.json       | 1 +
 .../ml/datafeed_windows_anomalous_process_all_hosts_ecs.json   | 1 +
 .../ml/datafeed_windows_anomalous_process_creation.json        | 1 +
 .../siem_winlogbeat/ml/datafeed_windows_anomalous_script.json  | 1 +
 .../siem_winlogbeat/ml/datafeed_windows_anomalous_service.json | 1 +
 .../ml/datafeed_windows_anomalous_user_name_ecs.json           | 1 +
 .../ml/datafeed_windows_rare_user_runas_event.json             | 3 ++-
 .../siem_winlogbeat/ml/rare_process_by_host_windows_ecs.json   | 1 +
 .../ml/windows_anomalous_network_activity_ecs.json             | 1 +
 .../ml/windows_anomalous_path_activity_ecs.json                | 1 +
 .../ml/windows_anomalous_process_all_hosts_ecs.json            | 1 +
 .../siem_winlogbeat/ml/windows_anomalous_process_creation.json | 1 +
 .../modules/siem_winlogbeat/ml/windows_anomalous_script.json   | 1 +
 .../modules/siem_winlogbeat/ml/windows_anomalous_service.json  | 1 +
 .../siem_winlogbeat/ml/windows_anomalous_user_name_ecs.json    | 1 +
 .../siem_winlogbeat/ml/windows_rare_user_runas_event.json      | 1 +
 .../ml/datafeed_windows_rare_user_type10_remote_login.json     | 1 +
 .../ml/windows_rare_user_type10_remote_login.json              | 1 +
 48 files changed, 53 insertions(+), 5 deletions(-)

diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_network_activity_ecs.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_network_activity_ecs.json
index 6301edb25e6e3..285d34c398045 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_network_activity_ecs.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_network_activity_ecs.json
@@ -3,6 +3,7 @@
     "indices": [
       "INDEX_PATTERN_NAME"
     ],
+    "max_empty_searches": 10,
     "query": {
             "bool": {
               "filter": [
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_network_port_activity_ecs.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_network_port_activity_ecs.json
index b7c361fdd85a9..98fc5406cf825 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_network_port_activity_ecs.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_network_port_activity_ecs.json
@@ -3,6 +3,7 @@
     "indices": [
       "INDEX_PATTERN_NAME"
     ],
+    "max_empty_searches": 10,
     "query": {
       "bool": {
         "filter": [
@@ -24,4 +25,4 @@
         ]
       }
     }
-  }
\ No newline at end of file
+  }
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_network_service.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_network_service.json
index 5890e3499d180..411630b8c6720 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_network_service.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_network_service.json
@@ -3,6 +3,7 @@
     "indices": [
       "INDEX_PATTERN_NAME"
     ],
+    "max_empty_searches": 10,
     "query": {
         "bool": {
           "filter": [
@@ -23,4 +24,4 @@
         ]
         }
       }
-  }
\ No newline at end of file
+  }
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_network_url_activity_ecs.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_network_url_activity_ecs.json
index f0a77e23971f2..3d6b6884d772d 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_network_url_activity_ecs.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_network_url_activity_ecs.json
@@ -3,6 +3,7 @@
     "indices": [
       "INDEX_PATTERN_NAME"
     ],
+    "max_empty_searches": 10,
     "query": {
         "bool":{
           "filter": [
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_process_all_hosts_ecs.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_process_all_hosts_ecs.json
index 776ca52ee8e2e..6ab30b8f5a140 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_process_all_hosts_ecs.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_process_all_hosts_ecs.json
@@ -3,6 +3,7 @@
     "indices": [
       "INDEX_PATTERN_NAME"
     ],
+    "max_empty_searches": 10,
     "query": {
         "bool": {
           "filter": [
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_user_name_ecs.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_user_name_ecs.json
index 1b15697cc621f..fa1a6ba9d1756 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_user_name_ecs.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_user_name_ecs.json
@@ -3,6 +3,7 @@
     "indices": [
       "INDEX_PATTERN_NAME"
     ],
+    "max_empty_searches": 10,
     "query": {
         "bool": {
             "filter": [
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_rare_process_by_host_linux_ecs.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_rare_process_by_host_linux_ecs.json
index 8d714c036cfe0..9de27f5d213f2 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_rare_process_by_host_linux_ecs.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_rare_process_by_host_linux_ecs.json
@@ -3,6 +3,7 @@
     "indexes": [
       "INDEX_PATTERN_NAME"
     ],
+    "max_empty_searches": 10,
     "query": {
       "bool": {
         "filter": [
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_suspicious_login_activity_ecs.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_suspicious_login_activity_ecs.json
index ad05baa5d02a9..e92ba08378fab 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_suspicious_login_activity_ecs.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_suspicious_login_activity_ecs.json
@@ -3,6 +3,7 @@
   "indexes": [
     "INDEX_PATTERN_NAME"
   ],
+  "max_empty_searches": 10,
   "query": {
     "bool": {
       "filter": {
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/linux_anomalous_network_activity_ecs.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/linux_anomalous_network_activity_ecs.json
index fdce2211ee94e..97c793c51f753 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/linux_anomalous_network_activity_ecs.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/linux_anomalous_network_activity_ecs.json
@@ -22,6 +22,7 @@
         "destination.ip"
       ]
     },
+    "allow_lazy_open": true,
     "analysis_limits": {
       "model_memory_limit": "64mb"
     },
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/linux_anomalous_network_port_activity_ecs.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/linux_anomalous_network_port_activity_ecs.json
index 2f97d13d0fb18..24f2690b27774 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/linux_anomalous_network_port_activity_ecs.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/linux_anomalous_network_port_activity_ecs.json
@@ -22,6 +22,7 @@
       "destination.ip"
     ]
   },
+  "allow_lazy_open": true,
   "analysis_limits": {
     "model_memory_limit": "32mb"
   },
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/linux_anomalous_network_service.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/linux_anomalous_network_service.json
index ac7dd69a6773d..8a5deddbeb5dc 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/linux_anomalous_network_service.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/linux_anomalous_network_service.json
@@ -21,6 +21,7 @@
       "user.name"
     ]
   },
+  "allow_lazy_open": true,
   "analysis_limits": {
     "model_memory_limit": "128mb"
   },
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/linux_anomalous_network_url_activity_ecs.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/linux_anomalous_network_url_activity_ecs.json
index 1ac59e542436d..4f8da6c486fff 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/linux_anomalous_network_url_activity_ecs.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/linux_anomalous_network_url_activity_ecs.json
@@ -21,6 +21,7 @@
         "destination.port"
       ]
     },
+    "allow_lazy_open": true,
     "analysis_limits": {
       "model_memory_limit": "32mb"
     },
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/linux_anomalous_process_all_hosts_ecs.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/linux_anomalous_process_all_hosts_ecs.json
index be8b00ba73cc8..e0c310e33a1c9 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/linux_anomalous_process_all_hosts_ecs.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/linux_anomalous_process_all_hosts_ecs.json
@@ -21,6 +21,7 @@
       "user.name"
     ]
   },
+  "allow_lazy_open": true,
   "analysis_limits": {
     "model_memory_limit": "512mb"
   },
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/linux_anomalous_user_name_ecs.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/linux_anomalous_user_name_ecs.json
index 9eefe51b9c412..f7d4725d318e8 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/linux_anomalous_user_name_ecs.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/linux_anomalous_user_name_ecs.json
@@ -21,6 +21,7 @@
         "user.name"
       ]
     },
+    "allow_lazy_open": true,
     "analysis_limits": {
       "model_memory_limit": "32mb"
     },
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/rare_process_by_host_linux_ecs.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/rare_process_by_host_linux_ecs.json
index 87df75ba9dfc3..a770300fb0601 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/rare_process_by_host_linux_ecs.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/rare_process_by_host_linux_ecs.json
@@ -22,6 +22,7 @@
       "user.name"
     ]
   },
+  "allow_lazy_open": true,
   "analysis_limits": {
     "model_memory_limit": "256mb"
   },
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/suspicious_login_activity_ecs.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/suspicious_login_activity_ecs.json
index f54a2f2f766aa..d66ac51439340 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/suspicious_login_activity_ecs.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/suspicious_login_activity_ecs.json
@@ -17,6 +17,7 @@
       "source.ip"
     ]
   },
+  "allow_lazy_open": true,
   "analysis_limits": {
    "model_memory_limit": "256mb"
   },
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_auth/ml/datafeed_suspicious_login_activity_ecs.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_auth/ml/datafeed_suspicious_login_activity_ecs.json
index 519e30a1c8ed9..75e7148b4db1a 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_auth/ml/datafeed_suspicious_login_activity_ecs.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_auth/ml/datafeed_suspicious_login_activity_ecs.json
@@ -3,6 +3,7 @@
   "indexes": [
     "INDEX_PATTERN_NAME"
   ],
+  "max_empty_searches": 10,
   "query": {
     "bool": {
       "filter": [
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_auth/ml/suspicious_login_activity_ecs.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_auth/ml/suspicious_login_activity_ecs.json
index 52cd679d91dce..18f56a98202dd 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_auth/ml/suspicious_login_activity_ecs.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_auth/ml/suspicious_login_activity_ecs.json
@@ -21,6 +21,7 @@
       "source.ip"
     ]
   },
+  "allow_lazy_open": true,
   "analysis_limits": {
    "model_memory_limit": "256mb"
   },
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/datafeed_packetbeat_dns_tunneling.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/datafeed_packetbeat_dns_tunneling.json
index 5581ca5b39f07..449c8af238b56 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/datafeed_packetbeat_dns_tunneling.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/datafeed_packetbeat_dns_tunneling.json
@@ -3,6 +3,7 @@
   "indices": [
     "INDEX_PATTERN_NAME"
   ],
+  "max_empty_searches": 10,
   "query": {
     "bool": {
       "filter": [
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/datafeed_packetbeat_rare_dns_question.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/datafeed_packetbeat_rare_dns_question.json
index 667f0a12c4dcc..3a4055eb55ba0 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/datafeed_packetbeat_rare_dns_question.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/datafeed_packetbeat_rare_dns_question.json
@@ -3,6 +3,7 @@
   "indices": [
     "INDEX_PATTERN_NAME"
   ],
+  "max_empty_searches": 10,
   "query": {
     "bool": {
       "filter": [
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/datafeed_packetbeat_rare_server_domain.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/datafeed_packetbeat_rare_server_domain.json
index e473d1905f6ef..630fa9275c681 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/datafeed_packetbeat_rare_server_domain.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/datafeed_packetbeat_rare_server_domain.json
@@ -3,6 +3,7 @@
   "indices": [
     "INDEX_PATTERN_NAME"
   ],
+  "max_empty_searches": 10,
   "query": {
     "bool": {
       "filter": [
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/datafeed_packetbeat_rare_urls.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/datafeed_packetbeat_rare_urls.json
index 713b21c371c65..b2592bbaf68e6 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/datafeed_packetbeat_rare_urls.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/datafeed_packetbeat_rare_urls.json
@@ -3,6 +3,7 @@
   "indices": [
     "INDEX_PATTERN_NAME"
   ],
+  "max_empty_searches": 10,
   "query": {
     "bool": {
       "filter": [
@@ -14,4 +15,4 @@
       ]
     }
   }
-}
\ No newline at end of file
+}
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/datafeed_packetbeat_rare_user_agent.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/datafeed_packetbeat_rare_user_agent.json
index e862662a4f65b..c5938aa200cd4 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/datafeed_packetbeat_rare_user_agent.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/datafeed_packetbeat_rare_user_agent.json
@@ -3,6 +3,7 @@
   "indices": [
     "INDEX_PATTERN_NAME"
   ],
+  "max_empty_searches": 10,
   "query": {
     "bool": {
       "filter": [
@@ -14,4 +15,4 @@
         ]
     }
   }
-}
\ No newline at end of file
+}
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/packetbeat_dns_tunneling.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/packetbeat_dns_tunneling.json
index 1b7d6babad292..0f0fca1bf560a 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/packetbeat_dns_tunneling.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/packetbeat_dns_tunneling.json
@@ -36,6 +36,7 @@
       "dns.question.etld_plus_one"
     ]
   },
+  "allow_lazy_open": true,
   "analysis_limits": {
     "model_memory_limit": "256mb"
   },
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/packetbeat_rare_dns_question.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/packetbeat_rare_dns_question.json
index 162728be933ed..d2c4a0ca50dc4 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/packetbeat_rare_dns_question.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/packetbeat_rare_dns_question.json
@@ -19,6 +19,7 @@
       "host.name"
     ]
   },
+  "allow_lazy_open": true,
   "analysis_limits": {
     "model_memory_limit": "256mb"
   },
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/packetbeat_rare_server_domain.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/packetbeat_rare_server_domain.json
index 142dc382b4d5b..132cf9fff04cc 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/packetbeat_rare_server_domain.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/packetbeat_rare_server_domain.json
@@ -21,6 +21,7 @@
       "source.ip"
     ]
   },
+  "allow_lazy_open": true,
   "analysis_limits": {
     "model_memory_limit": "256mb"
   },
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/packetbeat_rare_urls.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/packetbeat_rare_urls.json
index d0b2d5e354b78..e0791ad4eaea9 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/packetbeat_rare_urls.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/packetbeat_rare_urls.json
@@ -20,6 +20,7 @@
       "destination.ip"
     ]
   },
+  "allow_lazy_open": true,
   "analysis_limits": {
     "model_memory_limit": "256mb"
   },
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/packetbeat_rare_user_agent.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/packetbeat_rare_user_agent.json
index d9ac6817a0394..eae29466a6417 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/packetbeat_rare_user_agent.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/ml/packetbeat_rare_user_agent.json
@@ -20,6 +20,7 @@
       "destination.ip"
     ]
   },
+  "allow_lazy_open": true,
   "analysis_limits": {
     "model_memory_limit": "256mb"
   },
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_rare_process_by_host_windows_ecs.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_rare_process_by_host_windows_ecs.json
index ea3eee94298e1..81519bf6001e3 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_rare_process_by_host_windows_ecs.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_rare_process_by_host_windows_ecs.json
@@ -3,6 +3,7 @@
     "indexes": [
       "INDEX_PATTERN_NAME"
     ],
+    "max_empty_searches": 10,
     "query": {
       "bool": {
         "filter": [
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_windows_anomalous_network_activity_ecs.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_windows_anomalous_network_activity_ecs.json
index 9c9432ff01cfb..f5e937e4ae717 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_windows_anomalous_network_activity_ecs.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_windows_anomalous_network_activity_ecs.json
@@ -3,6 +3,7 @@
     "indices": [
       "INDEX_PATTERN_NAME"
     ],
+    "max_empty_searches": 10,
     "query": {
         "bool": {
           "filter": [
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_windows_anomalous_path_activity_ecs.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_windows_anomalous_path_activity_ecs.json
index 012a6fa83067e..a9dba89bfe5e8 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_windows_anomalous_path_activity_ecs.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_windows_anomalous_path_activity_ecs.json
@@ -3,6 +3,7 @@
     "indices": [
       "INDEX_PATTERN_NAME"
     ],
+    "max_empty_searches": 10,
     "query": {
         "bool": {
           "filter": [
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_windows_anomalous_process_all_hosts_ecs.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_windows_anomalous_process_all_hosts_ecs.json
index 012a6fa83067e..a9dba89bfe5e8 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_windows_anomalous_process_all_hosts_ecs.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_windows_anomalous_process_all_hosts_ecs.json
@@ -3,6 +3,7 @@
     "indices": [
       "INDEX_PATTERN_NAME"
     ],
+    "max_empty_searches": 10,
     "query": {
         "bool": {
           "filter": [
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_windows_anomalous_process_creation.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_windows_anomalous_process_creation.json
index 1a8e603a64d83..124a5d17dbb9f 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_windows_anomalous_process_creation.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_windows_anomalous_process_creation.json
@@ -3,6 +3,7 @@
     "indices": [
       "INDEX_PATTERN_NAME"
     ],
+    "max_empty_searches": 10,
     "query": {
         "bool": {
           "filter": [
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_windows_anomalous_script.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_windows_anomalous_script.json
index 698cb19c1fbbf..d6b11501ff122 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_windows_anomalous_script.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_windows_anomalous_script.json
@@ -3,6 +3,7 @@
     "indices": [
       "INDEX_PATTERN_NAME"
     ],
+    "max_empty_searches": 10,
     "query": {
         "bool": {
           "filter": [
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_windows_anomalous_service.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_windows_anomalous_service.json
index 9380004152c07..efb578e646189 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_windows_anomalous_service.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_windows_anomalous_service.json
@@ -3,6 +3,7 @@
     "indices": [
       "INDEX_PATTERN_NAME"
     ],
+    "max_empty_searches": 10,
     "query": {
         "bool": {
           "filter": [
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_windows_anomalous_user_name_ecs.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_windows_anomalous_user_name_ecs.json
index 012a6fa83067e..a9dba89bfe5e8 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_windows_anomalous_user_name_ecs.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_windows_anomalous_user_name_ecs.json
@@ -3,6 +3,7 @@
     "indices": [
       "INDEX_PATTERN_NAME"
     ],
+    "max_empty_searches": 10,
     "query": {
         "bool": {
           "filter": [
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_windows_rare_user_runas_event.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_windows_rare_user_runas_event.json
index 913ebb37ce611..316e5c834f0ac 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_windows_rare_user_runas_event.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/datafeed_windows_rare_user_runas_event.json
@@ -3,6 +3,7 @@
     "indices": [
       "INDEX_PATTERN_NAME"
     ],
+    "max_empty_searches": 10,
     "query": {
         "bool": {
           "filter": [
@@ -11,4 +12,4 @@
           ]
         }
       }
-    }
\ No newline at end of file
+    }
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/rare_process_by_host_windows_ecs.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/rare_process_by_host_windows_ecs.json
index 0a34ed4e36fe6..ec6e1f8455312 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/rare_process_by_host_windows_ecs.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/rare_process_by_host_windows_ecs.json
@@ -21,6 +21,7 @@
       "user.name"
     ]
   },
+  "allow_lazy_open": true,
   "analysis_limits": {
     "model_memory_limit": "256mb"
   },
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/windows_anomalous_network_activity_ecs.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/windows_anomalous_network_activity_ecs.json
index 21298890dcb7b..45a4e55e4ea05 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/windows_anomalous_network_activity_ecs.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/windows_anomalous_network_activity_ecs.json
@@ -22,6 +22,7 @@
         "destination.ip"
       ]
     },
+    "allow_lazy_open": true,
     "analysis_limits": {
       "model_memory_limit": "64mb"
     },
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/windows_anomalous_path_activity_ecs.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/windows_anomalous_path_activity_ecs.json
index a601bd8de8f7d..74b4271032f56 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/windows_anomalous_path_activity_ecs.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/windows_anomalous_path_activity_ecs.json
@@ -21,6 +21,7 @@
       "user.name"
     ]
   },
+  "allow_lazy_open": true,
   "analysis_limits": {
     "model_memory_limit": "256mb"
   },
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/windows_anomalous_process_all_hosts_ecs.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/windows_anomalous_process_all_hosts_ecs.json
index 98e156884ab40..94a33a9abd1b5 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/windows_anomalous_process_all_hosts_ecs.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/windows_anomalous_process_all_hosts_ecs.json
@@ -21,6 +21,7 @@
         "user.name"
       ]
     },
+    "allow_lazy_open": true,
     "analysis_limits": {
       "model_memory_limit": "256mb"
     },
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/windows_anomalous_process_creation.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/windows_anomalous_process_creation.json
index 3747e434dc109..b87603db74c50 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/windows_anomalous_process_creation.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/windows_anomalous_process_creation.json
@@ -22,6 +22,7 @@
       "user.name"
     ]
   },
+  "allow_lazy_open": true,
   "analysis_limits": {
     "model_memory_limit": "256mb"
   },
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/windows_anomalous_script.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/windows_anomalous_script.json
index 1540c67204f08..5feed1145ebfe 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/windows_anomalous_script.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/windows_anomalous_script.json
@@ -21,6 +21,7 @@
       "winlog.event_data.Path"
     ]
   },
+  "allow_lazy_open": true,
   "analysis_limits": {
     "model_memory_limit": "256mb"
   },
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/windows_anomalous_service.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/windows_anomalous_service.json
index 819a2f1ba9d31..45b66aa7650cb 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/windows_anomalous_service.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/windows_anomalous_service.json
@@ -20,6 +20,7 @@
       "winlog.event_data.ServiceName"
     ]
   },
+  "allow_lazy_open": true,
   "analysis_limits": {
     "model_memory_limit": "256mb"
   },
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/windows_anomalous_user_name_ecs.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/windows_anomalous_user_name_ecs.json
index 14c2fa98e1df3..19e594b078901 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/windows_anomalous_user_name_ecs.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/windows_anomalous_user_name_ecs.json
@@ -21,6 +21,7 @@
       "user.name"
     ]
   },
+  "allow_lazy_open": true,
   "analysis_limits": {
     "model_memory_limit": "256mb"
   },
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/windows_rare_user_runas_event.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/windows_rare_user_runas_event.json
index a2e22c65636c9..4259f29a08b56 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/windows_rare_user_runas_event.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/ml/windows_rare_user_runas_event.json
@@ -21,6 +21,7 @@
         "user.name"
       ]
     },
+    "allow_lazy_open": true,
     "analysis_limits": {
       "model_memory_limit": "128mb"
     },
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat_auth/ml/datafeed_windows_rare_user_type10_remote_login.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat_auth/ml/datafeed_windows_rare_user_type10_remote_login.json
index 142d4c6500181..719adf68207b0 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat_auth/ml/datafeed_windows_rare_user_type10_remote_login.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat_auth/ml/datafeed_windows_rare_user_type10_remote_login.json
@@ -3,6 +3,7 @@
   "indices": [
     "INDEX_PATTERN_NAME"
   ],
+  "max_empty_searches": 10,
   "query": {
     "bool": {
       "filter": [
diff --git a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat_auth/ml/windows_rare_user_type10_remote_login.json b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat_auth/ml/windows_rare_user_type10_remote_login.json
index aa9f08c38a640..14512ea0d136e 100644
--- a/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat_auth/ml/windows_rare_user_type10_remote_login.json
+++ b/x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat_auth/ml/windows_rare_user_type10_remote_login.json
@@ -21,6 +21,7 @@
       "user.name"
     ]
   },
+  "allow_lazy_open": true,
   "analysis_limits": {
     "model_memory_limit": "128mb"
   },