diff --git a/incident_response/file_events.sql b/incident_response/file_events.sql
index e78cdd9..caefc55 100644
--- a/incident_response/file_events.sql
+++ b/incident_response/file_events.sql
@@ -2,7 +2,7 @@
 --
 -- tags: postmortem
 -- platform: posix
-SELECT
-  *
-FROM
-  file_events;
+-- interval: 900
+SELECT *
+FROM file_events
+WHERE time > (strftime('%s', 'now') -900)
\ No newline at end of file