diff --git a/x-pack/legacy/plugins/siem/server/lib/uncommon_processes/query.dsl.ts b/x-pack/legacy/plugins/siem/server/lib/uncommon_processes/query.dsl.ts
index e4b6bb8c6596..dc38824989da 100644
--- a/x-pack/legacy/plugins/siem/server/lib/uncommon_processes/query.dsl.ts
+++ b/x-pack/legacy/plugins/siem/server/lib/uncommon_processes/query.dsl.ts
@@ -135,6 +135,11 @@ export const buildQuery = ({
                       'event.dataset': 'process',
                     },
                   },
+                  {
+                    term: {
+                      'event.action': 'process_started',
+                    },
+                  },
                 ],
               },
             },
@@ -170,6 +175,22 @@ export const buildQuery = ({
                 ],
               },
             },
+            {
+              bool: {
+                filter: [
+                  {
+                    term: {
+                      'event.type': 'process_start',
+                    },
+                  },
+                  {
+                    term: {
+                      'event.category': 'process',
+                    },
+                  },
+                ],
+              },
+            },
           ],
           minimum_should_match: 1,
           filter,
diff --git a/x-pack/test/api_integration/apis/siem/kpi_network.ts b/x-pack/test/api_integration/apis/siem/kpi_network.ts
index 28cd89a2cc9b..6b12b4e3c938 100644
--- a/x-pack/test/api_integration/apis/siem/kpi_network.ts
+++ b/x-pack/test/api_integration/apis/siem/kpi_network.ts
@@ -21,7 +21,7 @@ export default function({ getService }: FtrProviderContext) {
       const TO = new Date('3000-01-01T00:00:00.000Z').valueOf();
       const expectedResult = {
         __typename: 'KpiNetworkData',
-        networkEvents: 6157,
+        networkEvents: 6158,
         uniqueFlowId: 712,
         uniqueSourcePrivateIps: 8,
         uniqueSourcePrivateIpsHistogram: [
@@ -103,7 +103,7 @@ export default function({ getService }: FtrProviderContext) {
       const TO = new Date('3000-01-01T00:00:00.000Z').valueOf();
       const expectedResult = {
         __typename: 'KpiNetworkData',
-        networkEvents: 6157,
+        networkEvents: 6158,
         uniqueFlowId: 712,
         uniqueSourcePrivateIps: 8,
         uniqueSourcePrivateIpsHistogram: [
diff --git a/x-pack/test/api_integration/apis/siem/overview_host.ts b/x-pack/test/api_integration/apis/siem/overview_host.ts
index ef960534f6ce..d93da079cbb7 100644
--- a/x-pack/test/api_integration/apis/siem/overview_host.ts
+++ b/x-pack/test/api_integration/apis/siem/overview_host.ts
@@ -27,7 +27,7 @@ export default function({ getService }: FtrProviderContext) {
         auditbeatProcess: 7,
         auditbeatUser: 6,
         filebeatSystemModule: 0,
-        winlogbeat: 0,
+        winlogbeat: 1,
         __typename: 'OverviewHostData',
       };
 
diff --git a/x-pack/test/api_integration/apis/siem/sources.ts b/x-pack/test/api_integration/apis/siem/sources.ts
index e96aaefee3ea..0b147022c7cd 100644
--- a/x-pack/test/api_integration/apis/siem/sources.ts
+++ b/x-pack/test/api_integration/apis/siem/sources.ts
@@ -30,7 +30,7 @@ export default function({ getService }: FtrProviderContext) {
         .then(resp => {
           const sourceStatus = resp.data.source.status;
           // test data in x-pack/test/functional/es_archives/auditbeat_test_data/data.json.gz
-          expect(sourceStatus.indexFields.length).to.be(349);
+          expect(sourceStatus.indexFields.length).to.be(395);
           expect(sourceStatus.indicesExist).to.be(true);
         });
     });
diff --git a/x-pack/test/api_integration/apis/siem/uncommon_processes.ts b/x-pack/test/api_integration/apis/siem/uncommon_processes.ts
index 6e384ee9c20d..b463c4db9965 100644
--- a/x-pack/test/api_integration/apis/siem/uncommon_processes.ts
+++ b/x-pack/test/api_integration/apis/siem/uncommon_processes.ts
@@ -14,7 +14,7 @@ const FROM = new Date('2000-01-01T00:00:00.000Z').valueOf();
 const TO = new Date('3000-01-01T00:00:00.000Z').valueOf();
 
 // typical values that have to change after an update from "scripts/es_archiver"
-const TOTAL_COUNT = 80;
+const TOTAL_COUNT = 3;
 
 export default function({ getService }: FtrProviderContext) {
   const esArchiver = getService('esArchiver');
@@ -78,7 +78,7 @@ export default function({ getService }: FtrProviderContext) {
       expect(UncommonProcesses.edges.length).to.be(2);
     });
 
-    it('should return a total count of 6 elements', async () => {
+    it('should return a total count of elements', async () => {
       const {
         data: {
           source: { UncommonProcesses },
@@ -130,18 +130,11 @@ export default function({ getService }: FtrProviderContext) {
         },
       });
       const expected: GetUncommonProcessesQuery.Node = {
-        _id: 'Ax5CB2kBR346wHgnUJ1s',
+        _id: 'HCFxB2kBR346wHgnL4ik',
         instances: 1,
         process: {
-          args: [
-            '/usr/bin/suricata',
-            '-c',
-            '/etc/suricata/suricata.yaml',
-            '-i',
-            'eth0',
-            '--init-errors-fatal',
-          ],
-          name: ['Suricata-Main'],
+          args: [],
+          name: ['kworker/u2:0'],
           __typename: 'ProcessEcsFields',
         },
         user: {
@@ -151,7 +144,7 @@ export default function({ getService }: FtrProviderContext) {
         },
         hosts: [
           {
-            name: ['suricata-zeek-sensor-toronto'],
+            name: ['zeek-sensor-san-francisco'],
             __typename: 'HostEcsFields',
           },
         ],
diff --git a/x-pack/test/functional/es_archives/auditbeat/hosts/data.json.gz b/x-pack/test/functional/es_archives/auditbeat/hosts/data.json.gz
index 27368e1dfd1c..00c6963b1693 100644
Binary files a/x-pack/test/functional/es_archives/auditbeat/hosts/data.json.gz and b/x-pack/test/functional/es_archives/auditbeat/hosts/data.json.gz differ