Little help understanding a document query issue

Hi everyone, happy new year!

Can somebody please help me understanding the following issue?
I have Elasticsearch (Elastic Defend) & Kibana in one server and Fleet in other separated. The monitoring agents are in a virtual-machine Windows-10 host and, to test the Elastic Defense Detection Rules, I'm launching an aggressive scans towards the windows host. Then, it produced the following alarm (For obvious reasons, I will put only the labels of interest) which information is extracted from the Kibana Dev Tools:

The originating event info (ancestors info) in the alert document:

    "_index": ".internal.alerts-security.alerts-default-000001",
      "kibana.alert.rule.name": "Potential Network Scan Detected",
      "kibana.alert.ancestors": [
        {
          "id": "125f7f14-0f76-5717-bf69-742ea3e57fd1",
          "type": "event",
          "index": "logs-endpoint.events.network-*,logs-network_traffic.*,packetbeat-*,filebeat-*,auditbeat-*",
          "depth": 0
        }
      ],

As you can see this alarm is "Potential Network Scan Detected" and it gives as ancestor (which I understand is the event that originated the alarm) the

document id "125f7f14-0f76-5717-bf69-742ea3e57fd1"

and the index I think is one of
index: "logs-endpoint.events.network-,logs-network_traffic.,packetbeat-,filebeat-,auditbeat-*"

But I'm trying to look for that document ID with the query:

The query for the alarm's ancestor:

GET /*/_search
{
  "query": {
    "terms": {
      "_id": [ "125f7f14-0f76-5717-bf69-742ea3e57fd1" ]
    }
  }
}

and there are no results

so, my question is ... where is this document id "125f7f14-0f76-5717-bf69-742ea3e57fd1"?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.