I have a soc-filebeat alias whit filter on filebeat-7.11.1-* and use soc-* for Elasticsearch indices in settings. And have created a user that have full access to soc-.
All dashboards are OK under Security network and security host. But if you click on a event to get event details its blank. if i give access to filebeat- to the user you get all the event details.
Way cant the event details use the same soc-* ?