diff --git a/x-pack/plugins/siem/public/components/page/hosts/authentications_table/index.tsx b/x-pack/plugins/siem/public/components/page/hosts/authentications_table/index.tsx
index 26454215cf793..d539005736f69 100644
--- a/x-pack/plugins/siem/public/components/page/hosts/authentications_table/index.tsx
+++ b/x-pack/plugins/siem/public/components/page/hosts/authentications_table/index.tsx
@@ -135,12 +135,12 @@ const getAuthenticationColumns = (): [
       }),
   },
   {
-    name: i18n.FAILURES,
+    name: i18n.SUCCESSES,
     truncateText: false,
     hideForMobile: false,
     render: ({ node }) => {
       const id = escapeDataProviderId(
-        `authentications-table-${node._id}-failures-${node.failures}`
+        `authentications-table-${node._id}-node-successes-${node.successes}`
       );
       return (
         <DraggableWrapper
@@ -149,12 +149,12 @@ const getAuthenticationColumns = (): [
             and: [],
             enabled: true,
             id,
-            name: 'authentication_failure',
+            name: 'authentication_success',
             excluded: false,
             kqlQuery: '',
             queryMatch: {
               field: 'event.type',
-              value: 'authentication_failure',
+              value: 'authentication_success',
               operator: IS_OPERATOR,
             },
           }}
@@ -164,7 +164,7 @@ const getAuthenticationColumns = (): [
                 <Provider dataProvider={dataProvider} />
               </DragEffects>
             ) : (
-              node.failures
+              node.successes
             )
           }
         />
@@ -172,59 +172,12 @@ const getAuthenticationColumns = (): [
     },
   },
   {
-    name: i18n.LAST_FAILED_TIME,
-    truncateText: false,
-    hideForMobile: false,
-    render: ({ node }) =>
-      has('lastFailure.timestamp', node) && node.lastFailure!.timestamp != null ? (
-        <EuiToolTip position="bottom" content={node.lastFailure!.timestamp!}>
-          <FormattedRelative value={new Date(node.lastFailure!.timestamp!)} />
-        </EuiToolTip>
-      ) : (
-        getEmptyTagValue()
-      ),
-  },
-  {
-    name: i18n.LAST_FAILED_SOURCE,
-    truncateText: false,
-    hideForMobile: false,
-    render: ({ node }) =>
-      getRowItemDraggables({
-        rowItems:
-          node.lastFailure != null &&
-          node.lastFailure.source != null &&
-          node.lastFailure.source.ip != null
-            ? node.lastFailure.source.ip
-            : null,
-        attrName: 'source.ip',
-        idPrefix: `authentications-table-${node._id}-lastFailureSource`,
-        render: item => <IPDetailsLink ip={item} />,
-      }),
-  },
-  {
-    name: i18n.LAST_FAILED_DESTINATION,
-    truncateText: false,
-    hideForMobile: false,
-    render: ({ node }) =>
-      getRowItemDraggables({
-        rowItems:
-          node.lastFailure != null &&
-          node.lastFailure.host != null &&
-          node.lastFailure.host.name != null
-            ? node.lastFailure.host.name
-            : null,
-        attrName: 'host.name',
-        idPrefix: `authentications-table-${node._id}-lastFailureDestination`,
-        render: item => <HostDetailsLink hostName={item} />,
-      }),
-  },
-  {
-    name: i18n.SUCCESSES,
+    name: i18n.FAILURES,
     truncateText: false,
     hideForMobile: false,
     render: ({ node }) => {
       const id = escapeDataProviderId(
-        `authentications-table-${node._id}-node-successes-${node.successes}`
+        `authentications-table-${node._id}-failures-${node.failures}`
       );
       return (
         <DraggableWrapper
@@ -233,12 +186,12 @@ const getAuthenticationColumns = (): [
             and: [],
             enabled: true,
             id,
-            name: 'authentication_success',
+            name: 'authentication_failure',
             excluded: false,
             kqlQuery: '',
             queryMatch: {
               field: 'event.type',
-              value: 'authentication_success',
+              value: 'authentication_failure',
               operator: IS_OPERATOR,
             },
           }}
@@ -248,7 +201,7 @@ const getAuthenticationColumns = (): [
                 <Provider dataProvider={dataProvider} />
               </DragEffects>
             ) : (
-              node.successes
+              node.failures
             )
           }
         />
@@ -302,4 +255,51 @@ const getAuthenticationColumns = (): [
         render: item => <HostDetailsLink hostName={item} />,
       }),
   },
+  {
+    name: i18n.LAST_FAILED_TIME,
+    truncateText: false,
+    hideForMobile: false,
+    render: ({ node }) =>
+      has('lastFailure.timestamp', node) && node.lastFailure!.timestamp != null ? (
+        <EuiToolTip position="bottom" content={node.lastFailure!.timestamp!}>
+          <FormattedRelative value={new Date(node.lastFailure!.timestamp!)} />
+        </EuiToolTip>
+      ) : (
+        getEmptyTagValue()
+      ),
+  },
+  {
+    name: i18n.LAST_FAILED_SOURCE,
+    truncateText: false,
+    hideForMobile: false,
+    render: ({ node }) =>
+      getRowItemDraggables({
+        rowItems:
+          node.lastFailure != null &&
+          node.lastFailure.source != null &&
+          node.lastFailure.source.ip != null
+            ? node.lastFailure.source.ip
+            : null,
+        attrName: 'source.ip',
+        idPrefix: `authentications-table-${node._id}-lastFailureSource`,
+        render: item => <IPDetailsLink ip={item} />,
+      }),
+  },
+  {
+    name: i18n.LAST_FAILED_DESTINATION,
+    truncateText: false,
+    hideForMobile: false,
+    render: ({ node }) =>
+      getRowItemDraggables({
+        rowItems:
+          node.lastFailure != null &&
+          node.lastFailure.host != null &&
+          node.lastFailure.host.name != null
+            ? node.lastFailure.host.name
+            : null,
+        attrName: 'host.name',
+        idPrefix: `authentications-table-${node._id}-lastFailureDestination`,
+        render: item => <HostDetailsLink hostName={item} />,
+      }),
+  },
 ];
diff --git a/x-pack/plugins/siem/public/pages/hosts/hosts.tsx b/x-pack/plugins/siem/public/pages/hosts/hosts.tsx
index c03bf2a6b3232..7f5b937c581fb 100644
--- a/x-pack/plugins/siem/public/pages/hosts/hosts.tsx
+++ b/x-pack/plugins/siem/public/pages/hosts/hosts.tsx
@@ -111,28 +111,20 @@ const HostsComponent = pure<HostsComponentProps>(({ filterQuery }) => (
 
                 <EuiSpacer />
 
-                <UncommonProcessesQuery
+                <AuthenticationsQuery
                   endDate={to}
                   filterQuery={filterQuery}
                   sourceId="default"
                   startDate={from}
                   type={hostsModel.HostsType.page}
                 >
-                  {({
-                    uncommonProcesses,
-                    totalCount,
-                    loading,
-                    pageInfo,
-                    loadMore,
-                    id,
-                    refetch,
-                  }) => (
-                    <UncommonProcessTableManage
+                  {({ authentications, totalCount, loading, pageInfo, loadMore, id, refetch }) => (
+                    <AuthenticationTableManage
                       id={id}
                       refetch={refetch}
                       setQuery={setQuery}
                       loading={loading}
-                      data={uncommonProcesses}
+                      data={authentications}
                       totalCount={totalCount}
                       nextCursor={getOr(null, 'endCursor.value', pageInfo)}
                       hasNextPage={getOr(false, 'hasNextPage', pageInfo)!}
@@ -140,24 +132,32 @@ const HostsComponent = pure<HostsComponentProps>(({ filterQuery }) => (
                       type={hostsModel.HostsType.page}
                     />
                   )}
-                </UncommonProcessesQuery>
+                </AuthenticationsQuery>
 
                 <EuiSpacer />
 
-                <AuthenticationsQuery
+                <UncommonProcessesQuery
                   endDate={to}
                   filterQuery={filterQuery}
                   sourceId="default"
                   startDate={from}
                   type={hostsModel.HostsType.page}
                 >
-                  {({ authentications, totalCount, loading, pageInfo, loadMore, id, refetch }) => (
-                    <AuthenticationTableManage
+                  {({
+                    uncommonProcesses,
+                    totalCount,
+                    loading,
+                    pageInfo,
+                    loadMore,
+                    id,
+                    refetch,
+                  }) => (
+                    <UncommonProcessTableManage
                       id={id}
                       refetch={refetch}
                       setQuery={setQuery}
                       loading={loading}
-                      data={authentications}
+                      data={uncommonProcesses}
                       totalCount={totalCount}
                       nextCursor={getOr(null, 'endCursor.value', pageInfo)}
                       hasNextPage={getOr(false, 'hasNextPage', pageInfo)!}
@@ -165,7 +165,7 @@ const HostsComponent = pure<HostsComponentProps>(({ filterQuery }) => (
                       type={hostsModel.HostsType.page}
                     />
                   )}
-                </AuthenticationsQuery>
+                </UncommonProcessesQuery>
 
                 <EuiSpacer />
 
diff --git a/x-pack/plugins/siem/server/lib/authentications/query.dsl.ts b/x-pack/plugins/siem/server/lib/authentications/query.dsl.ts
index efde40485b1fa..b2216861de378 100644
--- a/x-pack/plugins/siem/server/lib/authentications/query.dsl.ts
+++ b/x-pack/plugins/siem/server/lib/authentications/query.dsl.ts
@@ -34,7 +34,6 @@ export const buildQuery = ({
 
   const filter = [
     ...createQueryFilterClauses(filterQuery),
-    { term: { 'event.module': 'system' } },
     { term: { 'event.category': 'authentication' } },
     {
       range: {
@@ -65,7 +64,7 @@ export const buildQuery = ({
           terms: {
             size: limit + 1,
             field: 'user.name',
-            order: { 'failures.doc_count': 'desc' },
+            order: [{ 'successes.doc_count': 'desc' }, { 'failures.doc_count': 'desc' }],
           },
           aggs: {
             failures: {