Describe the bug:
Rule run is failing for a CCS EQL with event absence due to the kibana.alert.ancestors.index value multiplication in the alerts

Kibana/Elasticsearch Stack version:
8.15

Server OS version:

Browser and Browser OS versions:

Elastic Endpoint version:

Original install method (e.g. download page, yum, from source, etc.):

Functional Area (e.g. Endpoint management, timelines, resolver, etc.):

Pre-requisites:

1. Have 2 clusters connected
2. Have multiple documents indexed on remote cluster within the maxspan of 60 seconds
   e.g: 5000 documents with initial timestamp and 5000 documents with timestamp +30s

{
    "@timestamp": "2024-08-08T23:15:30.000Z",
    "host": {
      "name": "paulas-macbook-pro.local"
    },
    "agent": {
      "name": "Paulas-MacBook-Pro.local"
    }
  }

Steps to reproduce:

1. In the primary cluster, create an EQL rule with the index pattern from the remote cluster and containing event absence in the query

e.g:

index pattern: paula_eql_2:my_index_eql_1

EQL query:

sequence by host.name with maxspan=60s
[ any where agent.name == "Paulas-MacBook-Pro.local" ]
![ any where agent.name == "host-test"]

Current behavior:
When the rule runs and alerts are genetared, kibana.alert.ancestors.index value is being multiplied repeatedly and it's causing a parse error and run failure.

It can be observed that the value of _index field when the query is directly ran is multiplied repeatedly:

From .internal.alerts-security.alerts-default-* index:

Expected behavior:
kibana.alert.ancestors.index value should NOT be multiplied

Screenshots (if relevant):

Errors in browser console (if relevant):

Provide logs and/or server output (if relevant):

Any additional context (logs, chat logs, magical formulas, etc.):