Change the type of threatintel.indicator.first_seen to date (#26765)

The `threatintel` module field was incorrectly mapped as keyword instead
of date.

(cherry picked from commit b6ee587)

CHANGELOG.next.asciidoc

@@ -77,6 +77,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - All url.* fields apart from url.original in the Apache, Nginx, IIS, Traefik, S3Access, Cisco, F5, Fortinet, Google Workspace, Imperva, Microsoft, Netscout, O365, Sophos, Squid, Suricata, Zeek, Zia, Zoom, and ZScaler modules are now url unescaped due to using the Elasticsearch uri_parts processor. {pull}24699[24699]
 - Deprecated the cyberark module (replaced by cyberarkpas). {issue}25261[25261] {pull}25505[25505]
 - Change source field for `event.action` in `fortinet.firewall` module to `fortinet.firewall.action` instead of `fortinet.firewall.eventtype`. {pull}24816[24816]
+- threatintel module: Changed the type of `threatintel.indicator.first_seen` from `keyword` to `date`. {pull}26765[26765]
 
 *Heartbeat*
 - Add support for screenshot blocks and use newer synthetics flags that only works in newer synthetics betas. {pull}25808[25808]

filebeat/docs/fields.asciidoc

@@ -145732,7 +145732,7 @@ Fields from the threatintel Filebeat module.
 The date and time when intelligence source first reported sighting this indicator.
 
 
-type: keyword
+type: date
 
 --
 

x-pack/filebeat/module/threatintel/_meta/fields.yml

@@ -11,7 +11,7 @@
         Fields from the threatintel Filebeat module.
       fields:
         - name: indicator.first_seen
-          type: keyword
+          type: date
           description: >
             The date and time when intelligence source first reported sighting this indicator.
         - name: indicator.last_seen