From 2bb9fdb7243d5a5f61cd4f758483a7efa0fba3aa Mon Sep 17 00:00:00 2001
From: Khristinin Nikita <nkhristinin@gmail.com>
Date: Mon, 20 Sep 2021 21:19:52 +0200
Subject: [PATCH] Add default timestamp condition for threat_query (#1486)

(cherry picked from commit 10a977914b16349f42ea3612646c39f3fd85b0b0)
---
 rules/cross-platform/threat_intel_module_match.toml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/cross-platform/threat_intel_module_match.toml b/rules/cross-platform/threat_intel_module_match.toml
index c81ee0ea2..699c1d4c7 100644
--- a/rules/cross-platform/threat_intel_module_match.toml
+++ b/rules/cross-platform/threat_intel_module_match.toml
@@ -69,11 +69,11 @@ threat_index = [ "filebeat-*"]
 threat_indicator_path = ""
 threat_language = "kuery"
 
-threat_query = """
-event.module:threatintel and
+threat_query = '''
+@timestamp >= "now-30d" and event.module:threatintel and
   (threatintel.indicator.file.hash.*:* or threatintel.indicator.file.pe.imphash:* or threatintel.indicator.ip:* or
      threatintel.indicator.registry.path:* or threatintel.indicator.url.full:*)
-"""
+'''
 
 query = """
 file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:* or url.full:* or registry.path:*