diff --git a/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml b/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml
index 662f12dab..4754264f3 100644
--- a/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml
+++ b/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/09/14"
 integration = ["dga", "endpoint", "network_traffic"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/04/22"
 
 [rule]
 author = ["Elastic"]
@@ -20,7 +20,7 @@ references = [
     "https://docs.elastic.co/en/integrations/dga",
     "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration",
 ]
-risk_score = 99
+risk_score = 73
 rule_id = "bcaa15ce-2d41-44d7-a322-918f9db77766"
 setup = """## Setup
 
@@ -43,7 +43,7 @@ The DGA Detection integration consists of an ML-based framework to detect DGA ac
 - Follow the instructions under the **Installation** section.
 - For this rule to work, complete the instructions through **Configure the ingest pipeline**.
 """
-severity = "critical"
+severity = "high"
 tags = [
     "Domain: Network",
     "Domain: Endpoint",
diff --git a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml
index a34a8b13d..3e98f2fdb 100644
--- a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml
+++ b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/10/05"
 integration = ["network_traffic"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/04/22"
 
 [rule]
 author = ["Elastic"]
@@ -64,9 +64,9 @@ references = [
     "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-zeek.html",
     "https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack",
 ]
-risk_score = 99
+risk_score = 73
 rule_id = "e7075e8d-a966-458e-a183-85cd331af255"
-severity = "critical"
+severity = "high"
 tags = [
     "Tactic: Command and Control",
     "Threat: Cobalt Strike",
diff --git a/rules/threat_intel/threat_intel_indicator_match_address.toml b/rules/threat_intel/threat_intel_indicator_match_address.toml
index 7ea8e2df1..ee45367dc 100644
--- a/rules/threat_intel/threat_intel_indicator_match_address.toml
+++ b/rules/threat_intel/threat_intel_indicator_match_address.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2023/05/22"
 maturity = "production"
-updated_date = "2025/02/03"
+updated_date = "2025/04/22"
 
 [transform]
 [[transform.osquery]]
@@ -101,7 +101,7 @@ references = [
     "https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html",
     "https://www.elastic.co/security/tip",
 ]
-risk_score = 99
+risk_score = 73
 rule_id = "0c41e478-5263-4c69-8f9e-7dfd2c22da64"
 setup = """## Setup
 
@@ -112,7 +112,7 @@ or a [custom integration](https://www.elastic.co/guide/en/security/current/es-th
 
 More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).
 """
-severity = "critical"
+severity = "high"
 tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Threat Match", "Resources: Investigation Guide"]
 threat_index = ["filebeat-*", "logs-ti_*"]
 threat_indicator_path = "threat.indicator"
diff --git a/rules/threat_intel/threat_intel_indicator_match_email.toml b/rules/threat_intel/threat_intel_indicator_match_email.toml
index 6e34029d1..e4fa4bfc0 100644
--- a/rules/threat_intel/threat_intel_indicator_match_email.toml
+++ b/rules/threat_intel/threat_intel_indicator_match_email.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2025/04/11"
 maturity = "production"
-updated_date = "2025/04/11"
+updated_date = "2025/04/22"
 
 [rule]
 author = ["Elastic"]
@@ -68,7 +68,7 @@ references = [
     "https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html",
     "https://www.elastic.co/security/tip",
 ]
-risk_score = 99
+risk_score = 73
 rule_id = "fcf18de8-ad7d-4d01-b3f7-a11d5b3883af"
 setup = """## Setup
 
@@ -79,7 +79,7 @@ or a [custom integration](https://www.elastic.co/guide/en/security/current/es-th
 
 More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).
 """
-severity = "critical"
+severity = "high"
 tags = ["Rule Type: Threat Match", "Resources: Investigation Guide"]
 threat_index = ["filebeat-*", "logs-ti_*"]
 threat_indicator_path = "threat.indicator"
diff --git a/rules/threat_intel/threat_intel_indicator_match_hash.toml b/rules/threat_intel/threat_intel_indicator_match_hash.toml
index d7106b90b..48d5c2e1d 100644
--- a/rules/threat_intel/threat_intel_indicator_match_hash.toml
+++ b/rules/threat_intel/threat_intel_indicator_match_hash.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2023/05/22"
 maturity = "production"
-updated_date = "2025/02/03"
+updated_date = "2025/04/22"
 
 [transform]
 [[transform.osquery]]
@@ -100,7 +100,7 @@ references = [
     "https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html",
     "https://www.elastic.co/security/tip",
 ]
-risk_score = 99
+risk_score = 73
 rule_id = "aab184d3-72b3-4639-b242-6597c99d8bca"
 setup = """## Setup
 
@@ -111,7 +111,7 @@ or a [custom integration](https://www.elastic.co/guide/en/security/current/es-th
 
 More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).
 """
-severity = "critical"
+severity = "high"
 tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Threat Match", "Resources: Investigation Guide"]
 threat_index = ["filebeat-*", "logs-ti_*"]
 threat_indicator_path = "threat.indicator"
diff --git a/rules/threat_intel/threat_intel_indicator_match_registry.toml b/rules/threat_intel/threat_intel_indicator_match_registry.toml
index 5cb082293..ea86714e7 100644
--- a/rules/threat_intel/threat_intel_indicator_match_registry.toml
+++ b/rules/threat_intel/threat_intel_indicator_match_registry.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2023/05/22"
 maturity = "production"
-updated_date = "2025/02/03"
+updated_date = "2025/04/22"
 
 [transform]
 [[transform.osquery]]
@@ -95,7 +95,7 @@ references = [
     "https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html",
     "https://www.elastic.co/security/tip",
 ]
-risk_score = 99
+risk_score = 73
 rule_id = "a61809f3-fb5b-465c-8bff-23a8a068ac60"
 setup = """## Setup
 
@@ -106,7 +106,7 @@ or a [custom integration](https://www.elastic.co/guide/en/security/current/es-th
 
 More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).
 """
-severity = "critical"
+severity = "high"
 tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Threat Match", "Resources: Investigation Guide"]
 threat_index = ["filebeat-*", "logs-ti_*"]
 threat_indicator_path = "threat.indicator"
diff --git a/rules/threat_intel/threat_intel_indicator_match_url.toml b/rules/threat_intel/threat_intel_indicator_match_url.toml
index cbc01a294..93ac9f52d 100644
--- a/rules/threat_intel/threat_intel_indicator_match_url.toml
+++ b/rules/threat_intel/threat_intel_indicator_match_url.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2023/05/22"
 maturity = "production"
-updated_date = "2025/02/03"
+updated_date = "2025/04/22"
 
 [transform]
 [[transform.osquery]]
@@ -104,7 +104,7 @@ references = [
     "https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html",
     "https://www.elastic.co/security/tip",
 ]
-risk_score = 99
+risk_score = 73
 rule_id = "f3e22c8b-ea47-45d1-b502-b57b6de950b3"
 setup = """## Setup
 
@@ -115,7 +115,7 @@ or a [custom integration](https://www.elastic.co/guide/en/security/current/es-th
 
 More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).
 """
-severity = "critical"
+severity = "high"
 tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Threat Match", "Resources: Investigation Guide"]
 threat_index = ["filebeat-*", "logs-ti_*"]
 threat_indicator_path = "threat.indicator"
diff --git a/rules/threat_intel/threat_intel_rapid7_threat_command.toml b/rules/threat_intel/threat_intel_rapid7_threat_command.toml
index 1d532f38b..77f91577f 100644
--- a/rules/threat_intel/threat_intel_rapid7_threat_command.toml
+++ b/rules/threat_intel/threat_intel_rapid7_threat_command.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/05/29"
 integration = ["ti_rapid7_threat_command"]
 maturity = "production"
-updated_date = "2025/03/21"
+updated_date = "2025/04/22"
 
 [rule]
 author = ["Elastic"]
@@ -41,7 +41,7 @@ references = [
     "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html",
     "https://docs.elastic.co/integrations/ti_rapid7_threat_command",
 ]
-risk_score = 99
+risk_score = 73
 rule_id = "3a657da0-1df2-11ef-a327-f661ea17fbcc"
 setup = """
 ## Setup
@@ -57,7 +57,7 @@ More information can be found [here](https://www.elastic.co/guide/en/security/cu
 
 For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
 """
-severity = "critical"
+severity = "high"
 tags = [
     "OS: Windows",
     "Data Source: Elastic Endgame",