Change the type of threatintel.indicator.first_seen to date (#26765)

The `threatintel` module field was incorrectly mapped as keyword instead of date.
elastic · Jul 9, 2021 · b6ee587 · b6ee587
1 parent d07846b
commit b6ee587
Show file tree

Hide file tree

Showing 4 changed files with 4 additions and 3 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -105,6 +105,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Rename `network.direction` values in crowdstrike/falcon to `ingress`/`egress`. {pull}23041[23041]
 - Change logging in logs input to structure logging. Some log message formats have changed. {pull}25299[25299]
 - Change source field for `event.action` in `fortinet.firewall` module to `fortinet.firewall.action` instead of `fortinet.firewall.eventtype`. {pull}24816[24816]
+- threatintel module: Changed the type of `threatintel.indicator.first_seen` from `keyword` to `date`. {pull}26765[26765]
 
 *Heartbeat*
 - Add support for screenshot blocks and use newer synthetics flags that only works in newer synthetics betas. {pull}25808[25808]

diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -151942,7 +151942,7 @@ Fields from the threatintel Filebeat module.
 The date and time when intelligence source first reported sighting this indicator.
 
 
-type: keyword
+type: date
 
 --
 

diff --git a/x-pack/filebeat/module/threatintel/_meta/fields.yml b/x-pack/filebeat/module/threatintel/_meta/fields.yml
@@ -11,7 +11,7 @@
         Fields from the threatintel Filebeat module.
       fields:
         - name: indicator.first_seen
-          type: keyword
+          type: date
           description: >
             The date and time when intelligence source first reported sighting this indicator.
         - name: indicator.last_seen

diff --git a/x-pack/filebeat/module/threatintel/fields.go b/x-pack/filebeat/module/threatintel/fields.go