diff --git a/rules/cross-platform/threat_intel_filebeat8x.toml b/rules/cross-platform/threat_intel_filebeat8x.toml
index 18c9f29f0..dda36e752 100644
--- a/rules/cross-platform/threat_intel_filebeat8x.toml
+++ b/rules/cross-platform/threat_intel_filebeat8x.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/11/24"
 maturity = "production"
-updated_date = "2022/01/26"
+updated_date = "2022/02/10"
 min_stack_comments = "Threat index is ECS 1.11 compliant (8.0)."
 min_stack_version = "8.0"
 
@@ -72,7 +72,7 @@ threat_indicator_path = "threat.indicator"
 threat_language = "kuery"
 
 threat_query = '''
-@timestamp >= "now-30d/d" and event.dataset:ti_* and
+@timestamp >= "now-30d/d" and event.module:threatintel and
   (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:* or threat.indicator.ip:* or
      threat.indicator.registry.path:* or threat.indicator.url.full:*)
 '''
@@ -89,11 +89,11 @@ store = "appState"
 negate = false
 disabled = false
 type = "phrase"
-key = "event.dataset"
+key = "event.module"
 [rule.threat_filters.meta.params]
-query = "ti_*"
+query = "threatintel"
 [rule.threat_filters.query.match_phrase]
-"event.dataset" = "ti_*"
+"event.module" = "threatintel"
 
 [[rule.threat_filters]]
 [rule.threat_filters."$state"]