[ML] Add allow_lazy_open and max_empty_searches to SIEM jobs (#48238)

This change augments the SIEM jobs and datafeeds that were
added in #47848 with the allow_lazy_open and max_empty_searches
options that were added in elastic/elasticsearch#47726 and
elastic/elasticsearch#47922 respectively.

Author: David Roberts

x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_network_activity_ecs.json

@@ -3,6 +3,7 @@
     "indices": [
       "INDEX_PATTERN_NAME"
     ],
+    "max_empty_searches": 10,
     "query": {
             "bool": {
               "filter": [

x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_network_port_activity_ecs.json

@@ -3,6 +3,7 @@
     "indices": [
       "INDEX_PATTERN_NAME"
     ],
+    "max_empty_searches": 10,
     "query": {
       "bool": {
         "filter": [
@@ -24,4 +25,4 @@
         ]
       }
     }
-  }
+  }

x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_network_service.json

@@ -3,6 +3,7 @@
     "indices": [
       "INDEX_PATTERN_NAME"
     ],
+    "max_empty_searches": 10,
     "query": {
         "bool": {
           "filter": [
@@ -23,4 +24,4 @@
         ]
         }
       }
-  }
+  }

x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_network_url_activity_ecs.json

@@ -3,6 +3,7 @@
     "indices": [
       "INDEX_PATTERN_NAME"
     ],
+    "max_empty_searches": 10,
     "query": {
         "bool":{
           "filter": [

x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_process_all_hosts_ecs.json

@@ -3,6 +3,7 @@
     "indices": [
       "INDEX_PATTERN_NAME"
     ],
+    "max_empty_searches": 10,
     "query": {
         "bool": {
           "filter": [

x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_linux_anomalous_user_name_ecs.json

@@ -3,6 +3,7 @@
     "indices": [
       "INDEX_PATTERN_NAME"
     ],
+    "max_empty_searches": 10,
     "query": {
         "bool": {
             "filter": [

x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_rare_process_by_host_linux_ecs.json

@@ -3,6 +3,7 @@
     "indexes": [
       "INDEX_PATTERN_NAME"
     ],
+    "max_empty_searches": 10,
     "query": {
       "bool": {
         "filter": [

x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/datafeed_suspicious_login_activity_ecs.json

@@ -3,6 +3,7 @@
   "indexes": [
     "INDEX_PATTERN_NAME"
   ],
+  "max_empty_searches": 10,
   "query": {
     "bool": {
       "filter": {

x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/linux_anomalous_network_activity_ecs.json

@@ -22,6 +22,7 @@
         "destination.ip"
       ]
     },
+    "allow_lazy_open": true,
     "analysis_limits": {
       "model_memory_limit": "64mb"
     },

x-pack/legacy/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/ml/linux_anomalous_network_port_activity_ecs.json

@@ -22,6 +22,7 @@
       "destination.ip"
     ]
   },
+  "allow_lazy_open": true,
   "analysis_limits": {
     "model_memory_limit": "32mb"
   },