Custom App with authentication log

Just to check for this kind of ML job in prebuild detection rules, the setup said required data coming from elastic defend or auditd or system, so by default it does not work for custom app, correct ?

In this case, we can create our own custom ML job to perform on Unusual Login volume &
Brute Force Detection based on customapp data source, correct ?