From 603f3c313a440fc1157bcd44b3956ce26fcd891d Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Thu, 23 May 2024 17:59:58 +0100
Subject: [PATCH] Update impact_high_freq_file_renames_by_kernel.toml (#3707)

---
 rules/windows/impact_high_freq_file_renames_by_kernel.toml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/impact_high_freq_file_renames_by_kernel.toml b/rules/windows/impact_high_freq_file_renames_by_kernel.toml
index f03d9bf2a..0ffabcd53 100644
--- a/rules/windows/impact_high_freq_file_renames_by_kernel.toml
+++ b/rules/windows/impact_high_freq_file_renames_by_kernel.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/05/03"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/05/23"
 
 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 This rule identifies a high number (20) of file creation event by the System virtual process from the same host and with
 same file name containing keywords similar to ransomware note files and all within a short time period.
 """
-from = "now-1m"
+from = "now-9m"
 index = ["logs-endpoint.events.file-*"]
 language = "kuery"
 license = "Elastic License v2"