diff --git a/rules/cross-platform/threat_intel_filebeat8x.toml b/rules/cross-platform/threat_intel_filebeat8x.toml
index b7521a247..f54def5a3 100644
--- a/rules/cross-platform/threat_intel_filebeat8x.toml
+++ b/rules/cross-platform/threat_intel_filebeat8x.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/11/24"
 maturity = "production"
-updated_date = "2021/11/24"
+updated_date = "2022/01/26"
 min_stack_comments = "Threat index is ECS 1.11 compliant (8.0)."
 min_stack_version = "8.0"
 
@@ -72,7 +72,7 @@ threat_indicator_path = "threat.indicator"
 threat_language = "kuery"
 
 threat_query = '''
-@timestamp >= "now-30d" and event.dataset:ti_* and
+@timestamp >= "now-30d/d" and event.dataset:ti_* and
   (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:* or threat.indicator.ip:* or
      threat.indicator.registry.path:* or threat.indicator.url.full:*)
 '''
diff --git a/rules/cross-platform/threat_intel_fleet_integrations.toml b/rules/cross-platform/threat_intel_fleet_integrations.toml
index 5e12cad57..2b3fa24a2 100644
--- a/rules/cross-platform/threat_intel_fleet_integrations.toml
+++ b/rules/cross-platform/threat_intel_fleet_integrations.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/04/21"
 maturity = "production"
-updated_date = "2021/11/24"
+updated_date = "2022/01/26"
 min_stack_comments = "Threat intel module fields were updated from `threatintel.*` to `threat.*` in ECS 1.11 (7.16)."
 min_stack_version = "8.0"
 
@@ -72,7 +72,7 @@ threat_indicator_path = "threat.indicator"
 threat_language = "kuery"
 
 threat_query = '''
-@timestamp >= "now-30d" and event.dataset:ti_* and
+@timestamp >= "now-30d/d" and event.dataset:ti_* and
   (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:* or threat.indicator.ip:* or
      threat.indicator.registry.path:* or threat.indicator.url.full:*)
 '''