diff --git a/detection/execution/unexpected-xattr-calls-macos.sql b/detection/execution/unexpected-xattr-calls-macos.sql
index 88fb27e..fe3271a 100644
--- a/detection/execution/unexpected-xattr-calls-macos.sql
+++ b/detection/execution/unexpected-xattr-calls-macos.sql
@@ -49,7 +49,7 @@ FROM process_events pe
   LEFT JOIN signature ON pp.path = signature.path
   LEFT JOIN signature esignature ON ppe.path = esignature.path
 WHERE pe.path = '/usr/bin/xattr'
-  AND pe.time > (strftime('%s', 'now') -30000)
+  AND pe.time > (strftime('%s', 'now') -300)
   AND cmd != '/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app'
   AND NOT (
     pe.euid > 500