Add data_stream.namespace to event stats

Author: Aegrah

rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml

@@ -62,7 +62,8 @@ from
     host.name,
     http.request.method,
     http.response.status_code,
-    event.dataset
+    event.dataset,
+    data_stream.namespace
 
 | stats
     Esql.event_count = count(),
@@ -72,7 +73,8 @@ from
     Esql.http_request_method_values = values(http.request.method),
     Esql.http_response_status_code_values = values(http.response.status_code),
     Esql.url_original_url_decoded_to_lower_values = values(Esql.url_original_url_decoded_to_lower),
-    Esql.event_dataset_values = values(event.dataset)
+    Esql.event_dataset_values = values(event.dataset),
+    Esql.data_stream_namespace_values = values(data_stream.namespace)
     by source.ip
 '''