[Rule Tuning] Interval fix + Datastream values to ESQL Rules (#5413)

* [Rule Tuning] Interval fix + Datastream values to ESQL Rules

* Update persistence_web_server_potential_command_injection.toml

Author: Aegrah

rules/cross-platform/persistence_web_server_potential_command_injection.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/11/19"
 integration = ["nginx", "apache", "apache_tomcat", "iis"]
 maturity = "production"
-updated_date = "2025/12/01"
+updated_date = "2025/12/05"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ applications to inject and execute arbitrary commands on the server, often using
 PHP, or shell commands. By monitoring for these indicators in web traffic, security teams can identify and respond to
 potential threats early.
 """
-from = "now-9m"
+from = "now-11m"
 interval = "10m"
 language = "esql"
 license = "Elastic License v2"
@@ -115,7 +115,8 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
     http.response.status_code,
     user_agent.original,
     host.name,
-    event.dataset
+    event.dataset,
+    data_stream.namespace
 
 | stats
     Esql.event_count = count(),
@@ -129,6 +130,7 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
     Esql.http.response.status_code_values = values(http.response.status_code),
     Esql.user_agent_original_values = values(user_agent.original),
     Esql.event_dataset_values = values(event.dataset),
+    Esql.data_stream_namespace_values = values(data_stream.namespace),
 
     // Rule Specific fields
     Esql.any_payload_keyword_max = max(Esql.any_payload_keyword),

rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/11/19"
 integration = ["nginx", "apache", "apache_tomcat", "iis"]
 maturity = "production"
-updated_date = "2025/12/01"
+updated_date = "2025/12/05"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ This rule detects potential web server discovery or fuzzing activity by identify
 in 404 or 403 status codes from a single source IP address within a short timeframe. Such patterns may indicate that an attacker
 is attempting to discover hidden or unlinked resources on a web server, which can be a precursor to more targeted attacks.
 """
-from = "now-9m"
+from = "now-11m"
 interval = "10m"
 language = "esql"
 license = "Elastic License v2"
@@ -78,7 +78,9 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
     source.ip,
     agent.id,
     host.name,
-    Esql.url_original_to_lower
+    Esql.url_original_to_lower,
+    data_stream.namespace
+
 | stats
     Esql.event_count = count(),
     Esql.url_original_count_distinct = count_distinct(Esql.url_original_to_lower),
@@ -87,7 +89,8 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
     Esql.http_request_method_values = values(http.request.method),
     Esql.http_response_status_code_values = values(http.response.status_code),
     Esql.url_original_values = values(Esql.url_original_to_lower),
-    Esql.event_dataset_values = values(event.dataset)
+    Esql.event_dataset_values = values(event.dataset),
+    Esql.data_stream_namespace_values = values(data_stream.namespace)
     by source.ip
 | where
   Esql.event_count > 500 and Esql.url_original_count_distinct > 250

rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/11/19"
 integration = ["nginx", "apache", "apache_tomcat", "iis"]
 maturity = "production"
-updated_date = "2025/12/01"
+updated_date = "2025/12/05"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ as vulnerability scanning or fuzzing attempts by adversaries. These activities o
 responses as they probe for weaknesses in web applications. Error response codes may potentially indicate server-side
 issues that could be exploited.
 """
-from = "now-9m"
+from = "now-11m"
 interval = "10m"
 language = "esql"
 license = "Elastic License v2"
@@ -71,13 +71,16 @@ from logs-nginx.error-*, logs-apache_tomcat.error-*, logs-apache.error-*, logs-i
     event.dataset,
     source.ip,
     agent.id,
-    host.name
+    host.name,
+    data_stream.namespace
+
 | where source.ip is not null
 | stats
     Esql.event_count = count(),
     Esql.host_name_values = values(host.name),
     Esql.agent_id_values = values(agent.id),
-    Esql.event_dataset_values = values(event.dataset)
+    Esql.event_dataset_values = values(event.dataset),
+    Esql.data_stream_namespace_values = values(data_stream.namespace)
     by source.ip, agent.id
 | where
     Esql.event_count > 50

rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/11/19"
 integration = ["nginx", "apache", "apache_tomcat", "iis"]
 maturity = "production"
-updated_date = "2025/12/01"
+updated_date = "2025/12/05"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ reconnaissance activities such as vulnerability scanning or fuzzing attempts by
 generate a high volume of error responses as they probe for weaknesses in web applications. Error response codes
 may potentially indicate server-side issues that could be exploited.
 """
-from = "now-9m"
+from = "now-11m"
 interval = "10m"
 language = "esql"
 license = "Elastic License v2"
@@ -84,7 +84,9 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
     source.ip,
     agent.id,
     host.name,
-    Esql.url_original_to_lower
+    Esql.url_original_to_lower,
+    data_stream.namespace
+
 | stats
     Esql.event_count = count(),
     Esql.http_response_status_code_count = count(http.response.status_code),
@@ -94,7 +96,8 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
     Esql.http_request_method_values = values(http.request.method),
     Esql.http_response_status_code_values = values(http.response.status_code),
     Esql.url_path_values = values(Esql.url_original_to_lower),
-    Esql.event_dataset_values = values(event.dataset)
+    Esql.event_dataset_values = values(event.dataset),
+    Esql.data_stream_namespace_values = values(data_stream.namespace)
     by source.ip, agent.id
 | where
     Esql.http_response_status_code_count > 10

rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/11/19"
 integration = ["nginx", "apache", "apache_tomcat", "iis"]
 maturity = "production"
-updated_date = "2025/12/01"
+updated_date = "2025/12/05"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ This rule detects unusual spikes in web server requests with uncommon or suspici
 indicate reconnaissance attempts by attackers trying to identify vulnerabilities in web applications or servers. These
 user-agents are often associated with automated tools used for scanning, vulnerability assessment, or brute-force attacks.
 """
-from = "now-9m"
+from = "now-11m"
 interval = "10m"
 language = "esql"
 license = "Elastic License v2"
@@ -101,15 +101,17 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
     agent.id,
     host.name,
     Esql.url_original_to_lower,
-    Esql.user_agent_original_to_lower
+    Esql.user_agent_original_to_lower,
+    data_stream.namespace
 | stats
     Esql.event_count = count(),
     Esql.url_original_count_distinct = count_distinct(Esql.url_original_to_lower),
     Esql.host_name_values = values(host.name),
     Esql.agent_id_values = values(agent.id),
     Esql.url_original_values = values(Esql.url_original_to_lower),
     Esql.user_agent_original_values = values(Esql.user_agent_original_to_lower),
-    Esql.event_dataset_values = values(event.dataset)
+    Esql.event_dataset_values = values(event.dataset),
+    Esql.data_stream_namespace_values = values(data_stream.namespace)
     by source.ip, agent.id
 | where
     Esql.event_count > 50 and Esql.url_original_count_distinct > 10