Hi everyone, happy new year!
Can somebody please help me understanding the following issue?
I have Elasticsearch (Elastic Defend) & Kibana in one server and Fleet in other separated. The monitoring agents are in a virtual-machine Windows-10 host and, to test the Elastic Defense Detection Rules, I'm launching an aggressive scans towards the windows host. Then, it produced the following alarm (For obvious reasons, I will put only the labels of interest) which information is extracted from the Kibana Dev Tools:
The originating event info (ancestors info) in the alert document:
"_index": ".internal.alerts-security.alerts-default-000001", "kibana.alert.rule.name": "Potential Network Scan Detected", "kibana.alert.ancestors": [ { "id": "125f7f14-0f76-5717-bf69-742ea3e57fd1", "type": "event", "index": "logs-endpoint.events.network-*,logs-network_traffic.*,packetbeat-*,filebeat-*,auditbeat-*", "depth": 0 } ],
As you can see this alarm is "Potential Network Scan Detected" and it gives as ancestor (which I understand is the event that originated the alarm) the
document id "125f7f14-0f76-5717-bf69-742ea3e57fd1"
and the index I think is one of
index: "logs-endpoint.events.network-,logs-network_traffic.,packetbeat-,filebeat-,auditbeat-*"
But I'm trying to look for that document ID with the query:
The query for the alarm's ancestor:
GET /*/_search
{
"query": {
"terms": {
"_id": [ "125f7f14-0f76-5717-bf69-742ea3e57fd1" ]
}
}
}
and there are no results
so, my question is ... where is this document id "125f7f14-0f76-5717-bf69-742ea3e57fd1"?