Auditbeat omniscience?

I have an event picked up by Auditbeat where it registers a tcp connection to my machine (port 22 where openssh is listening) from an external source.

That's fine and dandy however it claims to know what the process and arguments are, even though it is an inbound connection!

Openssh is listening on port 22 so that would rule out this being part of another connection and the SIEM app clearly marks this as an inbound connection so can someone explain what this means please?

This doesn't look so much like an issue with SIEM rendering of the event as it does an issue with the data Auditbeat is producing.

Can you please share the raw JSON _source associated with that event.