From f6ad36f530debdea40afa5ec6e3bbd0ddebe22f2 Mon Sep 17 00:00:00 2001
From: Thomas Patzke <thomas@patzke.org>
Date: Thu, 29 Nov 2018 00:00:18 +0100
Subject: [PATCH] Fixed rule

---
 rules/windows/builtin/win_multiple_suspicious_cli.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/builtin/win_multiple_suspicious_cli.yml b/rules/windows/builtin/win_multiple_suspicious_cli.yml
index edecf0bfd..1d058b202 100644
--- a/rules/windows/builtin/win_multiple_suspicious_cli.yml
+++ b/rules/windows/builtin/win_multiple_suspicious_cli.yml
@@ -47,7 +47,7 @@ detection:
             - wbadmin.exe
             - icacls.exe
             - diskpart.exe
-    timeframe: 5min
+    timeframe: 5m
     condition: selection | count() by MachineName > 5
 falsepositives:
     - False positives depend on scripts and administrative tools used in the monitored environment