From 8975b5de18d1898f48eeb0d68769d2d7d790d7c9 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Thu, 23 May 2024 17:59:58 +0100
Subject: [PATCH] Update impact_high_freq_file_renames_by_kernel.toml (#3707)

(cherry picked from commit 603f3c313a440fc1157bcd44b3956ce26fcd891d)
---
 rules/windows/impact_high_freq_file_renames_by_kernel.toml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/impact_high_freq_file_renames_by_kernel.toml b/rules/windows/impact_high_freq_file_renames_by_kernel.toml
index f03d9bf2a..0ffabcd53 100644
--- a/rules/windows/impact_high_freq_file_renames_by_kernel.toml
+++ b/rules/windows/impact_high_freq_file_renames_by_kernel.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/05/03"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/05/23"
 
 [rule]
 author = ["Elastic"]
@@ -10,7 +10,7 @@ description = """
 This rule identifies a high number (20) of file creation event by the System virtual process from the same host and with
 same file name containing keywords similar to ransomware note files and all within a short time period.
 """
-from = "now-1m"
+from = "now-9m"
 index = ["logs-endpoint.events.file-*"]
 language = "kuery"
 license = "Elastic License v2"