From 2c197b57fb0d4e757b146dadd4ab74aad6824cc4 Mon Sep 17 00:00:00 2001
From: Khristinin Nikita <nikita.khristinin@elastic.co>
Date: Mon, 1 Nov 2021 09:27:38 +0100
Subject: [PATCH] Change interval and lookback time for IM rule (#1596)

(cherry picked from commit f47b0f61ccd55e6210e39ac22d884193157d11a6)
---
 rules/cross-platform/threat_intel_module_match.toml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/cross-platform/threat_intel_module_match.toml b/rules/cross-platform/threat_intel_module_match.toml
index 699c1d4c7..998729b0c 100644
--- a/rules/cross-platform/threat_intel_module_match.toml
+++ b/rules/cross-platform/threat_intel_module_match.toml
@@ -1,16 +1,16 @@
 [metadata]
 creation_date = "2021/04/21"
 maturity = "production"
-updated_date = "2021/09/13"
+updated_date = "2021/10/29"
 
 [rule]
 author = ["Elastic"]
 description = """
 This rule is triggered when indicators from the Threat Intel Filebeat module has a match against local file or network observations.
 """
-from = "now-10m"
+from = "now-65m"
 index = ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"]
-interval = "9m"
+interval = "1h"
 language = "kuery"
 license = "Elastic License v2"
 name = "Threat Intel Filebeat Module Indicator Match"