++

Samirbous · Samirbous · commit 8c09a0a19425 · 2025-12-15T11:38:53.000Z
diff --git a/rules/cross-platform/multiple_alerts_from_different_modules_by_dstip.toml b/rules/cross-platform/multiple_alerts_from_different_modules_by_dstip.toml
@@ -10,7 +10,7 @@ This rule uses alert data to determine when multiple alerts from different integ
 involving the same destination.ip are triggered. Analysts can use this to prioritize triage and response, as these IP address
 is more likely to be related to a compromise.
 """
-from = "now-8h"
+from = "now-4h"
 interval = "1h"
 language = "esql"
 license = "Elastic License v2"
diff --git a/rules/cross-platform/multiple_alerts_from_different_modules_by_srcip.toml b/rules/cross-platform/multiple_alerts_from_different_modules_by_srcip.toml
@@ -10,7 +10,7 @@ This rule uses alert data to determine when multiple alerts from different integ
 involving the same source.ip are triggered. Analysts can use this to prioritize triage and response, as these IP addresses
 are more likely to be related to a compromise.
 """
-from = "now-8h"
+from = "now-4h"
 interval = "1h"
 language = "esql"
 license = "Elastic License v2"
