elastic · sodhikirti07 · Mar 24, 2026 · Feb 25, 2026 · Feb 25, 2026 · Feb 25, 2026
@@ -14852,7 +14852,7 @@ paths:
                   anomaly_threshold: 50
                   id: 60b13926-289b-41b1-a537-197ef1fa5059
                   machine_learning_job_id:
-                    - auth_high_count_logon_events
+                    - auth_high_count_logon_events_ea
             schema:
               $ref: '#/components/schemas/Security_Detections_API_RulePatchProps'
         description: |
@@ -15724,7 +15724,7 @@ paths:
                   description: New description of ml rule
                   id: 60b13926-289b-41b1-a537-197ef1fa5059
                   machine_learning_job_id:
-                    - auth_high_count_logon_events
+                    - auth_high_count_logon_events_ea
                   name: New name of ml rule
                   risk_score: 21
                   severity: low
@@ -16240,7 +16240,7 @@ paths:
                             interval: 15m
                             license: Elastic License v2
                             machine_learning_job_id:
-                              - packetbeat_dns_tunneling
+                              - packetbeat_dns_tunneling_ea
                             max_signals: 100
                             name: DNS Tunneling [Duplicate]
                             references:

@@ -16799,7 +16799,7 @@ paths:
                   anomaly_threshold: 50
                   id: 60b13926-289b-41b1-a537-197ef1fa5059
                   machine_learning_job_id:
-                    - auth_high_count_logon_events
+                    - auth_high_count_logon_events_ea
             schema:
               $ref: '#/components/schemas/Security_Detections_API_RulePatchProps'
         description: |
@@ -17671,7 +17671,7 @@ paths:
                   description: New description of ml rule
                   id: 60b13926-289b-41b1-a537-197ef1fa5059
                   machine_learning_job_id:
-                    - auth_high_count_logon_events
+                    - auth_high_count_logon_events_ea
                   name: New name of ml rule
                   risk_score: 21
                   severity: low
@@ -18187,7 +18187,7 @@ paths:
                             interval: 15m
                             license: Elastic License v2
                             machine_learning_job_id:
-                              - packetbeat_dns_tunneling
+                              - packetbeat_dns_tunneling_ea
                             max_signals: 100
                             name: DNS Tunneling [Duplicate]
                             references:

@@ -19,69 +19,69 @@
   },
   "jobs": [
     {
-      "id": "auth_high_count_logon_events_for_a_source_ip",
-      "file": "auth_high_count_logon_events_for_a_source_ip.json"
+      "id": "auth_high_count_logon_events_for_a_source_ip_ea",
+      "file": "auth_high_count_logon_events_for_a_source_ip_ea.json"
     },
     {
-      "id": "auth_high_count_logon_fails",
-      "file": "auth_high_count_logon_fails.json"
+      "id": "auth_high_count_logon_fails_ea",
+      "file": "auth_high_count_logon_fails_ea.json"
     },
     {
-      "id": "auth_high_count_logon_events",
-      "file": "auth_high_count_logon_events.json"
+      "id": "auth_high_count_logon_events_ea",
+      "file": "auth_high_count_logon_events_ea.json"
     },
     {
-      "id": "auth_rare_hour_for_a_user",
-      "file": "auth_rare_hour_for_a_user.json"
+      "id": "auth_rare_hour_for_a_user_ea",
+      "file": "auth_rare_hour_for_a_user_ea.json"
     },
     {
-      "id": "auth_rare_source_ip_for_a_user",
-      "file": "auth_rare_source_ip_for_a_user.json"
+      "id": "auth_rare_source_ip_for_a_user_ea",
+      "file": "auth_rare_source_ip_for_a_user_ea.json"
     },
     {
-      "id": "auth_rare_user",
-      "file": "auth_rare_user.json"
+      "id": "auth_rare_user_ea",
+      "file": "auth_rare_user_ea.json"
     },
     {
-      "id": "suspicious_login_activity",
-      "file": "suspicious_login_activity.json"
+      "id": "suspicious_login_activity_ea",
+      "file": "suspicious_login_activity_ea.json"
     }
   ],
   "datafeeds": [
     {
-      "id": "datafeed-auth_high_count_logon_events_for_a_source_ip",
-      "file": "datafeed_auth_high_count_logon_events_for_a_source_ip.json",
-      "job_id": "auth_high_count_logon_events_for_a_source_ip"
+      "id": "datafeed-auth_high_count_logon_events_for_a_source_ip_ea",
+      "file": "datafeed_auth_high_count_logon_events_for_a_source_ip_ea.json",
+      "job_id": "auth_high_count_logon_events_for_a_source_ip_ea"
     },
     {
-      "id": "datafeed-auth_high_count_logon_fails",
-      "file": "datafeed_auth_high_count_logon_fails.json",
-      "job_id": "auth_high_count_logon_fails"
+      "id": "datafeed-auth_high_count_logon_fails_ea",
+      "file": "datafeed_auth_high_count_logon_fails_ea.json",
+      "job_id": "auth_high_count_logon_fails_ea"
     },
     {
-      "id": "datafeed-auth_high_count_logon_events",
-      "file": "datafeed_auth_high_count_logon_events.json",
-      "job_id": "auth_high_count_logon_events"
+      "id": "datafeed-auth_high_count_logon_events_ea",
+      "file": "datafeed_auth_high_count_logon_events_ea.json",
+      "job_id": "auth_high_count_logon_events_ea"
     },
     {
-      "id": "datafeed-auth_rare_hour_for_a_user",
-      "file": "datafeed_auth_rare_hour_for_a_user.json",
-      "job_id": "auth_rare_hour_for_a_user"
+      "id": "datafeed-auth_rare_hour_for_a_user_ea",
+      "file": "datafeed_auth_rare_hour_for_a_user_ea.json",
+      "job_id": "auth_rare_hour_for_a_user_ea"
     },
     {
-      "id": "datafeed-auth_rare_source_ip_for_a_user",
-      "file": "datafeed_auth_rare_source_ip_for_a_user.json",
-      "job_id": "auth_rare_source_ip_for_a_user"
+      "id": "datafeed-auth_rare_source_ip_for_a_user_ea",
+      "file": "datafeed_auth_rare_source_ip_for_a_user_ea.json",
+      "job_id": "auth_rare_source_ip_for_a_user_ea"
     },
     {
-      "id": "datafeed-auth_rare_user",
-      "file": "datafeed_auth_rare_user.json",
-      "job_id": "auth_rare_user"
+      "id": "datafeed-auth_rare_user_ea",
+      "file": "datafeed_auth_rare_user_ea.json",
+      "job_id": "auth_rare_user_ea"
     },
     {
-      "id": "datafeed-suspicious_login_activity",
-      "file": "datafeed_suspicious_login_activity.json",
-      "job_id": "suspicious_login_activity"
+      "id": "datafeed-suspicious_login_activity_ea",
+      "file": "datafeed_suspicious_login_activity_ea.json",
+      "job_id": "suspicious_login_activity_ea"
     }
   ],
   "tags": [

@@ -1,6 +1,9 @@
 {
   "description": "Security: Authentication - Looks for an unusually large spike in successful authentication events. This can be due to password spraying, user enumeration, or brute force activity. Requires Windows event data, such as from Winlogbeat.",
-  "groups": ["security", "authentication"],
+  "groups": [
+    "security",
+    "authentication"
+  ],
   "analysis_config": {
     "bucket_span": "15m",
     "detectors": [
@@ -10,7 +13,15 @@
         "detector_index": 0
       }
     ],
-    "influencers": ["source.ip", "winlog.event_data.LogonType", "user.name", "host.name"]
+    "influencers": [
+      "source.ip",
+      "winlog.event_data.LogonType",
+      "user.name",
+      "user.id",
+      "host.name",
+      "host.id",
+      "event.module"
+    ]
   },
   "allow_lazy_open": true,
   "analysis_limits": {

@@ -1,6 +1,9 @@
 {
   "description": "Security: Authentication - Looks for an unusually large spike in successful authentication events from a particular source IP address. This can be due to password spraying, user enumeration, or brute force activity. Requires Windows event data, such as from Winlogbeat.",
-  "groups": ["security", "authentication"],
+  "groups": [
+    "security",
+    "authentication"
+  ],
   "analysis_config": {
     "bucket_span": "15m",
     "detectors": [
@@ -11,7 +14,15 @@
         "detector_index": 0
       }
     ],
-    "influencers": ["source.ip", "winlog.event_data.LogonType", "user.name", "host.name"]
+    "influencers": [
+      "source.ip",
+      "winlog.event_data.LogonType",
+      "user.name",
+      "user.id",
+      "host.name",
+      "host.id",
+      "event.module"
+    ]
   },
   "allow_lazy_open": true,
   "analysis_limits": {

@@ -1,6 +1,9 @@
 {
   "description": "Security: Authentication - Looks for an unusually large spike in authentication failure events. This can be due to password spraying, user enumeration, or brute force activity and may be a precursor to account takeover or credentialed access.",
-  "groups": ["security", "authentication"],
+  "groups": [
+    "security",
+    "authentication"
+  ],
   "analysis_config": {
     "bucket_span": "15m",
     "detectors": [
@@ -10,7 +13,14 @@
         "detector_index": 0
       }
     ],
-    "influencers": ["source.ip", "user.name", "host.name"]
+    "influencers": [
+      "source.ip",
+      "user.name",
+      "user.id",
+      "host.name",
+      "host.id",
+      "event.module"
+    ]
   },
   "allow_lazy_open": true,
   "analysis_limits": {

@@ -1,6 +1,9 @@
 {
   "description": "Security: Authentication - Looks for a user with successful login/logon at a time of day that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different time zones. In addition, unauthorized user activity often takes place during non-business hours.",
-  "groups": ["security", "authentication"],
+  "groups": [
+    "security",
+    "authentication"
+  ],
   "analysis_config": {
     "bucket_span": "15m",
     "detectors": [
@@ -11,7 +14,14 @@
         "detector_index": 0
       }
     ],
-    "influencers": ["source.ip", "user.name", "host.name"]
+    "influencers": [
+      "source.ip",
+      "host.name",
+      "user.name",
+      "user.id",
+      "host.id",
+      "event.module"
+    ]
   },
   "allow_lazy_open": true,
   "analysis_limits": {

@@ -1,6 +1,9 @@
 {
   "description": "Security: Authentication - Looks for a user logging in from an IP address that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different locations. An unusual source IP address for a username could also be due to lateral movement when a compromised account is used to pivot between hosts.",
-  "groups": ["security", "authentication"],
+  "groups": [
+    "security",
+    "authentication"
+  ],
   "analysis_config": {
     "bucket_span": "15m",
     "detectors": [
@@ -12,7 +15,14 @@
         "detector_index": 0
       }
     ],
-    "influencers": ["source.ip", "user.name", "host.name"]
+    "influencers": [
+      "source.ip",
+      "host.name",
+      "user.name",
+      "user.id",
+      "host.id",
+      "event.module"
+    ]
   },
   "allow_lazy_open": true,
   "analysis_limits": {

@@ -1,6 +1,9 @@
 {
   "description": "Security: Authentication - Looks for an unusual user name in the authentication logs. An unusual user name is one way of detecting credentialed access by means of a new or dormant user account. A user account that is normally inactive, because the user has left the organization, which becomes active, may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application.",
-  "groups": ["security", "authentication"],
+  "groups": [
+    "security",
+    "authentication"
+  ],
   "analysis_config": {
     "bucket_span": "15m",
     "detectors": [
@@ -11,7 +14,14 @@
         "detector_index": 0
       }
     ],
-    "influencers": ["source.ip", "user.name", "host.name"]
+    "influencers": [
+      "source.ip",
+      "host.name",
+      "user.name",
+      "user.id",
+      "host.id",
+      "event.module"
+    ]
   },
   "allow_lazy_open": true,
   "analysis_limits": {

@@ -20,9 +20,20 @@
       ],
       "must_not": {
         "terms": {
-          "process.name": ["elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"]
+          "process.name": [
+            "elastic-agent.exe",
+            "elastic-agent",
+            "metricbeat.exe",
+            "metricbeat",
+            "filebeat.exe",
+            "filebeat",
+            "packetbeat.exe",
+            "packetbeat",
+            "winlogbeat.exe",
+            "winlogbeat"
+          ]
         }
       }
     }
   }
-}
+}
@@ -25,9 +25,20 @@
       ],
       "must_not": {
         "terms": {
-          "process.name": ["elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"]
+          "process.name": [
+            "elastic-agent.exe",
+            "elastic-agent",
+            "metricbeat.exe",
+            "metricbeat",
+            "filebeat.exe",
+            "filebeat",
+            "packetbeat.exe",
+            "packetbeat",
+            "winlogbeat.exe",
+            "winlogbeat"
+          ]
         }
       }
     }
   }
-}
+}
@@ -20,9 +20,20 @@
       ],
       "must_not": {
         "terms": {
-          "process.name": ["elastic-agent.exe", "elastic-agent", "metricbeat.exe", "metricbeat", "filebeat.exe", "filebeat", "packetbeat.exe", "packetbeat", "winlogbeat.exe", "winlogbeat"]
+          "process.name": [
+            "elastic-agent.exe",
+            "elastic-agent",
+            "metricbeat.exe",
+            "metricbeat",
+            "filebeat.exe",
+            "filebeat",
+            "packetbeat.exe",
+            "packetbeat",
+            "winlogbeat.exe",
+            "winlogbeat"
+          ]
         }
       }
     }
   }
-}
+}