elastic · susan-shu-c · Dec 26, 2025 · Dec 26, 2025 · Dec 26, 2025 · Dec 26, 2025
@@ -1,3 +1,8 @@
+- version: "1.4.0"
+  changes:
+    - description: Add source.ip to beaconing and fix indexing timestamp
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/16706/
 - version: "1.3.3"
   changes:
     - description: Update documentation on configuring data view for dashboards

@@ -5,4 +5,9 @@ processors:
         - '@timestamp'
         - _id
       method: SHA-256
-      target_field: _id
+      target_field: _id
+  - date:
+      field: event.ingested
+      formats:
+        - UNIX
+      target_field: event.ingested
@@ -2,6 +2,8 @@
   type: keyword
 - name: process.name
   type: keyword
+- name: source.ip
+  type: ip
 - name: beacon_stats.autocovariance
   type: float
 - name: beacon_stats.beaconing_score

@@ -1,6 +1,6 @@
 dest:
-  index: ml_beaconing-1.3.3
-  pipeline: 1.3.3-ml_beaconing_ingest_pipeline
+  index: ml_beaconing-1.4.0
+  pipeline: 1.4.0-ml_beaconing_ingest_pipeline
   aliases:
     - alias: ml_beaconing.latest
       move_on_creation: true
@@ -347,6 +347,9 @@ pivot:
     'process.name':
       terms:
         field: process.name
+    'source.ip':
+      terms:
+        field: source.ip
 source:
   index: logs-*
   query:
@@ -382,10 +385,12 @@ source:
             must_not:
               terms:
                 'destination.ip': ["10.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "127.0.0.0/8", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8", "13.64.0.0/11", "13.104.0.0/14", "13.96.0.0/13", "18.209.113.128/26", "20.33.0.0/16", "20.34.0.0/15", "20.36.0.0/14", "20.40.0.0/13", "20.48.0.0/12", "20.64.0.0/10", "20.128.0.0/16", "20.36.0.0/14", "20.34.0.0/15", "20.40.0.0/13", "20.128.0.0/16", "20.48.0.0/12", "20.33.0.0/16", "20.180.0.0/14", "20.184.0.0/13", "23.64.0.0/14", "23.32.0.0/11", "40.74.0.0/15", "40.76.0.0/14", "40.80.0.0/12", "40.96.0.0/12", "40.112.0.0/13", "40.120.0.0/14", "40.124.0.0/16", "40.126.0.0/18", "40.125.0.0/17", "52.132.0.0/14", "52.136.0.0/13", "52.148.0.0/14", "52.145.0.0/16", "52.146.0.0/15", "52.160.0.0/11", "52.152.0.0/13", "52.224.0.0/11"]
+settings:
+  deduce_mappings: false
 sync:
   time:
     delay: 120s
     field: "@timestamp"
 _meta:
-  fleet_transform_version: 1.2.4
+  fleet_transform_version: 1.4.0
   run_as_kibana_system: false
@@ -1,7 +1,7 @@
 format_version: 3.0.0
 name: beaconing
 title: "Network Beaconing Identification"
-version: 1.3.3
+version: 1.4.0
 source:
   license: "Elastic-2.0"
 description: "Package to identify beaconing activity in your network events."