diff --git a/rules/cross-platform/guided_onboarding_sample_rule.toml b/rules/cross-platform/guided_onboarding_sample_rule.toml
index 5bbe240e151..90163be7f7e 100644
--- a/rules/cross-platform/guided_onboarding_sample_rule.toml
+++ b/rules/cross-platform/guided_onboarding_sample_rule.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/09/22"
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/12/19"
 
 [rule]
 author = ["Elastic"]
@@ -13,9 +13,9 @@ enabled = false
 false_positives = [
     "This rule is not looking for threat activity. Disable the rule if you're already familiar with alerts.",
 ]
-from = "now-30m"
+from = "now-35m"
 index = ["auditbeat-*", "filebeat-*", "logs-*", "winlogbeat-*"]
-interval = "24h"
+interval = "30m"
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 1
diff --git a/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml b/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml
index f549188c2dd..7b637cda9ec 100644
--- a/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml
+++ b/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/04/11"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2024/07/23"
+updated_date = "2024/12/19"
 
 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ false_positives = [
     APIs for the specified SecretId. If known behavior is causing false positives, it can be exempted from the rule.
     """,
 ]
-from = "now-5m"
+from = "now-9m"
 index = ["filebeat-*", "logs-aws.cloudtrail*"]
 language = "kuery"
 license = "Elastic License v2"
@@ -28,7 +28,7 @@ note = """## Triage and analysis
 
 AWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.
 
-This rule looks for the rapid retrieval of credentials using `GetSecretValue` or `BatchGetSecretValue` actions in Secrets Manager programmatically. This is a [Threshold](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-threshold-rule) rule indicating 20 or more successful attempts to retrieve a secret value from Secrets Manager by the same user identity within a short timespan. 
+This rule looks for the rapid retrieval of credentials using `GetSecretValue` or `BatchGetSecretValue` actions in Secrets Manager programmatically. This is a [Threshold](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-threshold-rule) rule indicating 20 or more successful attempts to retrieve a secret value from Secrets Manager by the same user identity within a short timespan.
 
 #### Possible investigation steps
 
diff --git a/rules_building_block/discovery_generic_registry_query.toml b/rules_building_block/discovery_generic_registry_query.toml
index cfe2edba2ae..4370465eb15 100644
--- a/rules_building_block/discovery_generic_registry_query.toml
+++ b/rules_building_block/discovery_generic_registry_query.toml
@@ -3,7 +3,7 @@ bypass_bbr_timing = true
 creation_date = "2023/07/13"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/12/19"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ registry to gain situational awareness about the host, like installed security s
 """
 from = "now-24h"
 index = ["logs-endpoint.events.process-*"]
-interval = "24h"
+interval = "12h"
 language = "kuery"
 license = "Elastic License v2"
 name = "Query Registry using Built-in Tools"