Way aren't Event details under security using the same query as you put in Elasticsearch indices

I have a soc-filebeat alias whit filter on filebeat-7.11.1-* and use soc-* for Elasticsearch indices in settings. And have created a user that have full access to soc-.
All dashboards are OK under Security network and security host. But if you click on a event to get event details its blank. if i give access to filebeat-
to the user you get all the event details.

Way cant the event details use the same soc-* ?