This is the query for the "SSH to the Internet" Rule:
network.transport: tcp and destination.port:22 and ( network.direction: outbound or ( source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ) )
It matches on internal ssh traffic however, because of
network.direction: outbound, which is found in the auditbeat socket dataset.
Seems similar to https://github.com/elastic/kibana/issues/57447
But this on a 7.7, so not fixed yet?