diff --git a/rules/threat_intel/threat_intel_rapid7_threat_command.toml b/rules/threat_intel/threat_intel_rapid7_threat_command.toml
index 85a6d0d45..fffdad302 100644
--- a/rules/threat_intel/threat_intel_rapid7_threat_command.toml
+++ b/rules/threat_intel/threat_intel_rapid7_threat_command.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/05/29"
 integration = ["ti_rapid7_threat_command"]
 maturity = "production"
-updated_date = "2024/06/12"
+updated_date = "2024/06/20"
 
 [rule]
 author = ["Elastic"]
@@ -76,7 +76,7 @@ tags = [
     "Use Case: Asset Visibility",
     "Use Case: Continuous Monitoring",
 ]
-threat_index = ["logs-ti_rapid7_threat_command_latest.ioc"]
+threat_index = ["logs-ti_rapid7_threat_command_latest.vulnerability"]
 threat_indicator_path = "rapid7.tc.vulnerability"
 threat_language = "kuery"
 threat_query = """
@@ -90,16 +90,16 @@ vulnerability.id : *
 '''
 
 
-[[rule.threat_filters]]
+[[rule.filters]]
 
-[rule.threat_filters."$state"]
+[rule.filters."$state"]
 store = "appState"
-[rule.threat_filters.meta]
+[rule.filters.meta]
 disabled = false
 key = "rapid7.tc.vulnerability.id"
 negate = true
 type = "exists"
-[rule.threat_filters.query.exists]
+[rule.filters.query.exists]
 field = "rapid7.tc.vulnerability.id"
 [[rule.threat_mapping]]