[ML] Fix datafeed of auth_high_count_logon_events_for_a_source_ip anomaly detection job (#149524)

2025-04-24 09:48:58 -04:00 · 2023-01-26 10:31:17 -05:00 · 2023-01-26 10:31:17 -05:00 · da929fc667
commit da929fc667
parent 85b5351c90
1 changed files with 19 additions and 11 deletions
--- a/x-pack/plugins/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_events_for_a_source_ip.json
+++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_events_for_a_source_ip.json
@ -5,16 +5,24 @@
  ],
  "max_empty_searches": 10,
  "query": {
-        "bool": {
-            "filter": [{"exists": {"field": "source.ip"}}],
-            "must": [
-                {"bool": {
-                    "should": [
-                    {"term": {"event.category": "authentication"}},
-                    {"term": {"event.outcome": "success"}}
-                    ]
-                }}
-            ]
+    "bool": {
+      "filter": [
+        {
+          "exists": {
+            "field": "source.ip"
+          }
+        },
+        {
+          "term": {
+            "event.category": "authentication"
+          }
+        },
+        {
+          "term": {
+            "event.outcome": "success"
+          }
        }
+      ]
+    }
  }
-}
+}