These two views are looking at different data sources.
The first is looking at the raw events from Suricata.
The second is looking at alerts in .alerts-security.alerts-default. These would events would have been put here by a detection rule. There is generic rule called External Alerts that takes alert events from external systems like suricata and "promotes" them to be Elastic SIEM alerts.
So the difference might just be related to timing. I think the @timestamp on the data in the .alerts index is when the rule triggered. The time from the original suricata alert should also be in there, but under a different field.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.