diff --git a/rules/windows/impact_high_freq_file_renames_by_kernel.toml b/rules/windows/impact_high_freq_file_renames_by_kernel.toml
index f03d9bf2a..0ffabcd53 100644
--- a/rules/windows/impact_high_freq_file_renames_by_kernel.toml
+++ b/rules/windows/impact_high_freq_file_renames_by_kernel.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/05/03"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/05/23"
 
 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 This rule identifies a high number (20) of file creation event by the System virtual process from the same host and with
 same file name containing keywords similar to ransomware note files and all within a short time period.
 """
-from = "now-1m"
+from = "now-9m"
 index = ["logs-endpoint.events.file-*"]
 language = "kuery"
 license = "Elastic License v2"