diff --git a/rules/cross-platform/threat_intel_module_match.toml b/rules/cross-platform/threat_intel_module_match.toml
index c81ee0ea2..699c1d4c7 100644
--- a/rules/cross-platform/threat_intel_module_match.toml
+++ b/rules/cross-platform/threat_intel_module_match.toml
@@ -69,11 +69,11 @@ threat_index = [ "filebeat-*"]
 threat_indicator_path = ""
 threat_language = "kuery"
 
-threat_query = """
-event.module:threatintel and
+threat_query = '''
+@timestamp >= "now-30d" and event.module:threatintel and
   (threatintel.indicator.file.hash.*:* or threatintel.indicator.file.pe.imphash:* or threatintel.indicator.ip:* or
      threatintel.indicator.registry.path:* or threatintel.indicator.url.full:*)
-"""
+'''
 
 query = """
 file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:* or url.full:* or registry.path:*