diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_threat_matching.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_threat_matching.ts
index 9da98e316315db..240f3cc8e3d250 100644
--- a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_threat_matching.ts
+++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_threat_matching.ts
@@ -600,6 +600,21 @@ export default ({ getService }: FtrProviderContext) => {
             },
             {
               indicator: [
+                {
+                  description: 'this should match auditbeat/hosts on both port and ip',
+                  first_seen: '2021-01-26T11:06:03.000Z',
+                  ip: '45.115.45.3',
+                  matched: {
+                    atomic: '45.115.45.3',
+                    id: '978785',
+                    index: 'filebeat-8.0.0-2021.01.26-000001',
+                    field: 'source.ip',
+                    type: 'url',
+                  },
+                  port: 57324,
+                  provider: 'geenensp',
+                  type: 'url',
+                },
                 {
                   description: "domain should match the auditbeat hosts' data's source.ip",
                   domain: '159.89.119.67',
@@ -618,21 +633,6 @@ export default ({ getService }: FtrProviderContext) => {
                     scheme: 'http',
                   },
                 },
-                {
-                  description: 'this should match auditbeat/hosts on both port and ip',
-                  first_seen: '2021-01-26T11:06:03.000Z',
-                  ip: '45.115.45.3',
-                  matched: {
-                    atomic: '45.115.45.3',
-                    id: '978785',
-                    index: 'filebeat-8.0.0-2021.01.26-000001',
-                    field: 'source.ip',
-                    type: 'url',
-                  },
-                  port: 57324,
-                  provider: 'geenensp',
-                  type: 'url',
-                },
                 {
                   description: 'this should match auditbeat/hosts on both port and ip',
                   first_seen: '2021-01-26T11:06:03.000Z',
diff --git a/x-pack/test/functional/es_archives/filebeat/threat_intel/data.json b/x-pack/test/functional/es_archives/filebeat/threat_intel/data.json
index 0cbc7f37bd519a..8f3c6a7d941de7 100644
--- a/x-pack/test/functional/es_archives/filebeat/threat_intel/data.json
+++ b/x-pack/test/functional/es_archives/filebeat/threat_intel/data.json
@@ -4,7 +4,7 @@
     "id": "978783",
     "index": "filebeat-8.0.0-2021.01.26-000001",
     "source": {
-      "@timestamp": "2021-01-26T11:09:05.529Z",
+      "@timestamp": "2021-01-26T11:09:00.000Z",
       "agent": {
         "ephemeral_id": "b7b56c3e-1f27-4c69-96f4-aa9ca47888d0",
         "id": "69acb5f0-1e79-4cfe-a4dc-e0dbf229ff51",
@@ -73,7 +73,7 @@
     "id": "978784",
     "index": "filebeat-8.0.0-2021.01.26-000001",
     "source": {
-      "@timestamp": "2021-01-26T11:09:05.529Z",
+      "@timestamp": "2021-01-26T11:09:01.000Z",
       "agent": {
         "ephemeral_id": "b7b56c3e-1f27-4c69-96f4-aa9ca47888d0",
         "id": "69acb5f0-1e79-4cfe-a4dc-e0dbf229ff51",
@@ -142,7 +142,7 @@
     "id": "978785",
     "index": "filebeat-8.0.0-2021.01.26-000001",
     "source": {
-      "@timestamp": "2021-01-26T11:09:05.529Z",
+      "@timestamp": "2021-01-26T11:09:02.000Z",
       "agent": {
         "ephemeral_id": "b7b56c3e-1f27-4c69-96f4-aa9ca47888d0",
         "id": "69acb5f0-1e79-4cfe-a4dc-e0dbf229ff51",
@@ -212,7 +212,7 @@
     "id": "978787",
     "index": "filebeat-8.0.0-2021.01.26-000001",
     "source": {
-      "@timestamp": "2021-01-26T11:09:05.529Z",
+      "@timestamp": "2021-01-26T11:09:03.000Z",
       "agent": {
         "ephemeral_id": "b7b56c3e-1f27-4c69-96f4-aa9ca47888d0",
         "id": "69acb5f0-1e79-4cfe-a4dc-e0dbf229ff51",