updated ESQL fields

terrancedejesus · terrancedejesus · commit a5a5f01248a1 · 2025-07-30T14:16:24.000-04:00
diff --git a/rules/integrations/aws/initial_access_signin_console_login_no_mfa.toml b/rules/integrations/aws/initial_access_signin_console_login_no_mfa.toml
@@ -78,20 +78,19 @@ FROM logs-aws.cloudtrail-* METADATA _id, _version, _index
 
 // Extract mobile version and MFA usage
 | dissect aws.cloudtrail.additional_eventdata
-    "{%{?mobile_version_key}=%{Esql.device_version}, %{?mfa_used_key}=%{Esql.auth_mfa_used}}"
+    "{%{?mobile_version_key}=%{Esql.aws_cloudtrail_additional_eventdata_device_version}, %{?mfa_used_key}=%{Esql.aws_cloudtrail_additional_eventdata_auth_mfa_used}}"
 
 // Only keep events where MFA was not used
-| where Esql.auth_mfa_used == "No"
+| where Esql.aws_cloudtrail_additional_eventdata_auth_mfa_used == "No"
 
 // Keep relevant ECS and dissected fields
 | keep
     @timestamp,
     event.action,
     aws.cloudtrail.event_type,
     aws.cloudtrail.user_identity.type,
-    Esql.device_version,
-    Esql.auth_mfa_used
-
+    Esql.aws_cloudtrail_additional_eventdata_device_version,
+    Esql.aws_cloudtrail_additional_eventdata_auth_mfa_used
 '''
 
 
diff --git a/rules/integrations/azure/credential_access_azure_entra_suspicious_signin.toml b/rules/integrations/azure/credential_access_azure_entra_suspicious_signin.toml
@@ -91,45 +91,44 @@ FROM logs-azure.signinlogs* METADATA _id, _version, _index
 
 // Case classifications for identity usage
 | eval
-    esql.azure.signinlogs.properties.authentication.device_code.case = case(
+      Esql.azure_signinlogs_properties_authentication_device_code_case = case(
       azure.signinlogs.properties.authentication_protocol == "deviceCode"
       and azure.signinlogs.properties.authentication_requirement != "multiFactorAuthentication",
       azure.signinlogs.identity,
       null),
 
-    esql.azure.signinlogs.auth.visual_studio.case = case(
+    Esql.azure_signinlogs_auth_visual_studio_case = case(
       azure.signinlogs.properties.app_id == "aebc6443-996d-45c2-90f0-388ff96faa56"
       and azure.signinlogs.properties.resource_display_name == "Microsoft Graph",
       azure.signinlogs.identity,
       null),
 
-    esql.azure.signinlogs.auth.other.case = case(
+    Esql.azure_signinlogs_auth_other_case = case(
       azure.signinlogs.properties.authentication_protocol != "deviceCode"
       and azure.signinlogs.properties.app_id != "aebc6443-996d-45c2-90f0-388ff96faa56",
       azure.signinlogs.identity,
       null)
 
 // Aggregate metrics by user identity
 | stats
-    esql.event.count = COUNT(*),
-    esql.azure.signinlogs.properties.authentication.device_code.case.count_distinct = COUNT_DISTINCT(esql.azure.signinlogs.properties.authentication.device_code.case),
-    esql.azure.signinlogs.auth.visual_studio.count_distinct = COUNT_DISTINCT(esql.azure.signinlogs.auth.visual_studio.case),
-    esql.azure.signinlogs.auth.other.count_distinct = COUNT_DISTINCT(esql.azure.signinlogs.auth.other.case),
-    esql.azure.signinlogs.source.ip.count_distinct = COUNT_DISTINCT(source.ip),
-    esql.azure.signinlogs.source.ip.values = VALUES(source.ip),
-    esql.azure.signinlogs.client_app.values = VALUES(azure.signinlogs.properties.app_display_name),
-    esql.azure.signinlogs.resource_display_name.values = VALUES(azure.signinlogs.properties.resource_display_name),
-    esql.azure.signinlogs.auth.requirement.values = VALUES(azure.signinlogs.properties.authentication_requirement)
+    Esql.event_count = COUNT(*),
+    Esql.azure_signinlogs_properties_authentication_device_code_case_count_distinct = COUNT_DISTINCT(Esql.azure_signinlogs_properties_authentication_device_code_case),
+    Esql.azure_signinlogs_properties_auth_visual_studio_count_distinct = COUNT_DISTINCT(Esql.azure_signinlogs_auth_visual_studio_case),
+    Esql.azure_signinlogs_properties_auth_other_count_distinct = COUNT_DISTINCT(Esql.azure_signinlogs_auth_other_case),
+    Esql.azure_signinlogs_properties_source_ip_count_distinct = COUNT_DISTINCT(source.ip),
+    Esql.azure_signinlogs_properties_source_ip_values = VALUES(source.ip),
+    Esql.azure_signinlogs_properties_client_app_values = VALUES(azure.signinlogs.properties.app_display_name),
+    Esql.azure_signinlogs_properties_resource_display_name_values = VALUES(azure.signinlogs.properties.resource_display_name),
+    Esql.azure_signinlogs_properties_auth_requirement_values = VALUES(azure.signinlogs.properties.authentication_requirement)
   by azure.signinlogs.identity
 
 // Detect multiple unique IPs for one user with signs of deviceCode or VSC OAuth usage
 | where
-  esql.azure.signinlogs.source.ip.count_distinct >= 2
+  Esql.azure_signinlogs_properties_source_ip_count_distinct >= 2
   and (
-    esql.azure.signinlogs.auth.device_code.count_distinct > 0
-    or esql.azure.signinlogs.auth.visual_studio.count_distinct > 0
+    Esql.azure_signinlogs_properties_authentication_device_code_case_count_distinct > 0
+    or Esql.azure_signinlogs_properties_auth_visual_studio_count_distinct > 0
   )
-
 '''
 
 
diff --git a/rules/integrations/azure/credential_access_azure_key_vault_excessive_retrieval.toml b/rules/integrations/azure/credential_access_azure_key_vault_excessive_retrieval.toml
@@ -127,7 +127,7 @@ FROM logs-azure.platformlogs-* METADATA _id, _index
     Esql.geo_city_values = VALUES(geo.city_name),
     Esql.geo_region_values = VALUES(geo.region_name),
     Esql.geo_country_values = VALUES(geo.country_name),
-    Esql.network_as_org_values = VALUES(source.as.organization.name),
+    Esql.source_as_organization_name_values = VALUES(source.as.organization.name),
 
     Esql.event_action_values = VALUES(event.action),
     Esql.event_count = COUNT(*),
@@ -155,7 +155,7 @@ BY Esql.time_window_date_trunc, azure.platformlogs.identity.claim.upn
     Esql.geo_city_values,
     Esql.geo_region_values,
     Esql.geo_country_values,
-    Esql.network_as_org_values,
+    Esql.source_as_organization_name_values,
     Esql.event_action_values,
     Esql.event_count,
     Esql.event_action_count_distinct,
diff --git a/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml b/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml
@@ -156,10 +156,10 @@ FROM logs-azure.signinlogs*
     Esql.azure_signinlogs_properties_app_display_name_values_all = VALUES(azure.signinlogs.properties.app_display_name),
     Esql.source_ip_values = VALUES(source.ip),
     Esql.source_ip_count_distinct = COUNT_DISTINCT(source.ip),
-    Esql.source_`as`.organization.name.values = VALUES(source.`as`.organization.name),
+    Esql.source_as_organization_name_values = VALUES(source.`as`.organization.name),
     Esql.source_geo_country_name_values = VALUES(source.geo.country_name),
     Esql.source_geo_country_name_count_distinct = COUNT_DISTINCT(source.geo.country_name),
-    Esql.source_`as`.organization.name.count_distinct = COUNT_DISTINCT(source.`as`.organization.name),
+    Esql.source_as_organization_name_count_distinct = COUNT_DISTINCT(source.`as`.organization.name),
     Esql.timestamp_first_seen = MIN(@timestamp),
     Esql.timestamp_last_seen = MAX(@timestamp),
     Esql.event_count = COUNT()
@@ -201,10 +201,10 @@ BY Esql.time_window_date_trunc
     Esql.azure_signinlogs_properties_app_display_name_values_all,
     Esql.source_ip_values,
     Esql.source_ip_count_distinct,
-    Esql.source_`as`.organization.name.values,
+    Esql.source_as_organization_name_values,
     Esql.source_geo_country_name_values,
     Esql.source_geo_country_name_count_distinct,
-    Esql.source_`as`.organization.name.count_distinct,
+    Esql.source_as_organization_name_count_distinct,
     Esql.azure_signinlogs_properties_authentication_requirement_values,
     Esql.azure_signinlogs_properties_app_id_values,
     Esql.azure_signinlogs_properties_app_display_name_values,
diff --git a/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml b/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml
@@ -130,8 +130,8 @@ FROM logs-azure.signinlogs*
     Esql.azure_signinlogs_properties_app_display_name_lower_values = VALUES(Esql.azure_signinlogs_properties_app_display_name_lower),
     Esql.source_ip_values = VALUES(source.ip),
     Esql.source_ip_count_distinct = COUNT_DISTINCT(source.ip),
-    Esql.source_`as`.organization.name.values = VALUES(source.`as`.organization.name),
-    Esql.source_`as`.organization.name.count_distinct = COUNT_DISTINCT(source.`as`.organization.name),
+    Esql.source_as_organization_name_values = VALUES(source.`as`.organization.name),
+    Esql.source_as_organization_name_count_distinct = COUNT_DISTINCT(source.`as`.organization.name),
     Esql.source_geo_country_name_values = VALUES(source.geo.country_name),
     Esql.source_geo_country_name_count_distinct = COUNT_DISTINCT(source.geo.country_name),
     Esql.@timestamp.min = MIN(@timestamp),
@@ -156,8 +156,8 @@ BY Esql.time_window_date_trunc
     Esql.azure_signinlogs_properties_app_display_name_lower_values,
     Esql.source_ip_values,
     Esql.source_ip_count_distinct,
-    Esql.source_`as`.organization.name.values,
-    Esql.source_`as`.organization.name.count_distinct,
+    Esql.source_as_organization_name_values,
+    Esql.source_as_organization_name_count_distinct,
     Esql.source_geo_country_name_values,
     Esql.source_geo_country_name_count_distinct,
     Esql.azure_signinlogs_properties_authentication_requirement_values,
diff --git a/rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml b/rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml
@@ -158,8 +158,8 @@ FROM logs-azure.signinlogs*
     Esql.azure_signinlogs_properties_app_display_name_lower_values = VALUES(Esql.azure_signinlogs_properties_app_display_name_lower),
     Esql.source_ip_values = VALUES(source.ip),
     Esql.source_ip_count_distinct = COUNT_DISTINCT(source.ip),
-    Esql.source_`as`.organization.name.values = VALUES(source.`as`.organization.name),
-    Esql.source_`as`.organization.name.count_distinct = COUNT_DISTINCT(source.`as`.organization.name),
+    Esql.source_as_organization_name_values = VALUES(source.`as`.organization.name),
+    Esql.source_as_organization_name_count_distinct = COUNT_DISTINCT(source.`as`.organization.name),
     Esql.source_geo_country_name_values = VALUES(source.geo.country_name),
     Esql.source_geo_country_name_count_distinct = COUNT_DISTINCT(source.geo.country_name),
     Esql.@timestamp.min = MIN(@timestamp),
@@ -215,8 +215,8 @@ BY Esql.time_window_date_trunc
     Esql.azure_signinlogs_properties_app_display_name_lower_values,
     Esql.source_ip_values,
     Esql.source_ip_count_distinct,
-    Esql.source_`as`.organization.name.values,
-    Esql.source_`as`.organization.name.count_distinct,
+    Esql.source_as_organization_name_values,
+    Esql.source_as_organization_name_count_distinct,
     Esql.source_geo_country_name_values,
     Esql.source_geo_country_name_count_distinct,
     Esql.azure_signinlogs_properties_authentication_requirement_values,
diff --git a/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml b/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml
@@ -118,7 +118,7 @@ FROM logs-azure.signinlogs* METADATA _id, _version, _index
     Esql.source_geo_region_name_values = VALUES(source.geo.region_name),
     Esql.source_address_values = VALUES(source.address),
     Esql.source_address_count_distinct = COUNT_DISTINCT(source.address),
-    Esql.source_`as`.organization.name.values = VALUES(source.`as`.organization.name),
+    Esql.source_as_organization_name_values = VALUES(source.`as`.organization.name),
 
     Esql.azure_signinlogs_properties_authentication_protocol_values = VALUES(azure.signinlogs.properties.authentication_protocol),
     Esql.azure_signinlogs_properties_authentication_requirement_values = VALUES(azure.signinlogs.properties.authentication_requirement),
@@ -161,7 +161,7 @@ FROM logs-azure.signinlogs* METADATA _id, _version, _index
     Esql.source_geo_region_name_values,
     Esql.source_address_values,
     Esql.source_address_count_distinct,
-    Esql.source_`as`.organization.name.values,
+    Esql.source_as_organization_name_values,
     Esql.azure_signinlogs_properties_authentication_protocol_values,
     Esql.azure_signinlogs_properties_authentication_requirement_values,
     Esql.azure_signinlogs_properties_is_interactive_values,
diff --git a/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml b/rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml
@@ -59,12 +59,12 @@ type = "esql"
 query = '''
 FROM logs-azure.auditlogs-* metadata _id, _version, _index
 | WHERE event.action == "Authentication Methods Policy Update"
-| EVAL Esql.azure.auditlogs.properties.target_resources.modified_properties.new_value.replace = REPLACE(`azure.auditlogs.properties.target_resources.0.modified_properties.0.new_value`, "\\\\", "")
-| EVAL Esql.azure.auditlogs.properties.target_resources.modified_properties.old_value.replace = REPLACE(`azure.auditlogs.properties.target_resources.0.modified_properties.0.old_value`, "\\\\", "")
-| DISSECT Esql.azure.auditlogs.properties.target_resources.modified_properties.new_value.replace "%{}discoveryUrl\":\"%{Esql.azure.auditlogs.properties.auth.oidc.discovery.url.new}\"}%{}"
-| DISSECT Esql.azure.auditlogs.properties.target_resources.modified_properties.old_value.replace "%{}discoveryUrl\":\"%{Esql.azure.auditlogs.properties.auth.oidc.discovery.url.old}\"}%{}"
-| WHERE Esql.azure.auditlogs.properties.auth.oidc.discovery.url.new IS NOT NULL and Esql.azure.auditlogs.properties.auth.oidc.discovery.url.old IS NOT NULL
-| WHERE Esql.azure.auditlogs.properties.auth.oidc.discovery.url.new != Esql.azure.auditlogs.properties.auth.oidc.discovery.url.old
+| EVAL Esql.azure_auditlogs_properties_target_resources_modified_properties_new_value_replace = REPLACE(`azure.auditlogs.properties.target_resources.0.modified_properties.0.new_value`, "\\\\", "")
+| EVAL Esql.azure_auditlogs_properties_target_resources_modified_properties_old_value_replace = REPLACE(`azure.auditlogs.properties.target_resources.0.modified_properties.0.old_value`, "\\\\", "")
+| DISSECT Esql.azure_auditlogs_properties_target_resources_modified_properties_new_value_replace "%{}discoveryUrl\":\"%{Esql.azure_auditlogs_properties_auth_oidc_discovery_url_new}\"}%{}"
+| DISSECT Esql.azure_auditlogs_properties_target_resources_modified_properties_old_value_replace "%{}discoveryUrl\":\"%{Esql.azure_auditlogs_properties_auth_oidc_discovery_url_old}\"}%{}"
+| WHERE Esql.azure_auditlogs_properties_auth_oidc_discovery_url_new IS NOT NULL and Esql.azure_auditlogs_properties_auth_oidc_discovery_url_old IS NOT NULL
+| WHERE Esql.azure_auditlogs_properties_auth_oidc_discovery_url_new != Esql.azure_auditlogs_properties_auth_oidc_discovery_url_old
 | KEEP
     @timestamp,
     event.action,
@@ -79,8 +79,8 @@ FROM logs-azure.auditlogs-* metadata _id, _version, _index
     source.geo.city_name,
     source.geo.region_name,
     source.geo.country_name,
-    Esql.azure.auditlogs.properties.auth.oidc.discovery.url.new,
-    Esql.azure.auditlogs.properties.auth.oidc.discovery.url.old
+    Esql.azure_auditlogs_properties_auth_oidc_discovery_url_new,
+    Esql.azure_auditlogs_properties_auth_oidc_discovery_url_old
 '''
 
 
diff --git a/rules/integrations/o365/credential_access_microsoft_365_excessive_account_lockouts.toml b/rules/integrations/o365/credential_access_microsoft_365_excessive_account_lockouts.toml
@@ -91,8 +91,8 @@ FROM logs-o365.audit-*
     Esql_priv.o365_audit_UserId_values = VALUES(TO_LOWER(o365.audit.UserId)),
     Esql.source_ip_values = VALUES(source.ip),
     Esql.source_ip_count_distinct = COUNT_DISTINCT(source.ip),
-    Esql.source_`as`.organization.name.values = VALUES(source.`as`.organization.name),
-    Esql.source_`as`.organization.name.count_distinct = COUNT_DISTINCT(source.`as`.organization.name),
+    Esql.source_as_organization_name_values = VALUES(source.`as`.organization.name),
+    Esql.source_as_organization_name_count_distinct = COUNT_DISTINCT(source.`as`.organization.name),
     Esql.source_geo_country_name_values = VALUES(source.geo.country_name),
     Esql.source_geo_country_name_count_distinct = COUNT_DISTINCT(source.geo.country_name),
     Esql.o365_audit_ExtendedProperties_RequestType_values = VALUES(TO_LOWER(o365.audit.ExtendedProperties.RequestType)),
@@ -108,8 +108,8 @@ FROM logs-o365.audit-*
     Esql_priv.o365_audit_UserId_values,
     Esql.source_ip_values,
     Esql.source_ip_count_distinct,
-    Esql.source_`as`.organization.name.values,
-    Esql.source_`as`.organization.name.count_distinct,
+    Esql.source_as_organization_name_values,
+    Esql.source_as_organization_name_count_distinct,
     Esql.source_geo_country_name_values,
     Esql.source_geo_country_name_count_distinct,
     Esql.o365_audit_ExtendedProperties_RequestType_values,
diff --git a/rules/integrations/o365/credential_access_microsoft_365_potential_user_account_brute_force.toml b/rules/integrations/o365/credential_access_microsoft_365_potential_user_account_brute_force.toml
@@ -113,10 +113,10 @@ FROM logs-o365.audit-*
     Esql.o365_audit_ExtendedProperties_RequestType_values = VALUES(Esql.o365_audit_ExtendedProperties_RequestType_lower),
     Esql.source_ip_values = VALUES(source.ip),
     Esql.source_ip_count_distinct = COUNT_DISTINCT(source.ip),
-    Esql.source_`as`.organization.name.values = VALUES(source.`as`.organization.name),
+    Esql.source_as_organization_name_values = VALUES(source.`as`.organization.name),
     Esql.source_geo_country_name_values = VALUES(source.geo.country_name),
     Esql.source_geo_country_name_count_distinct = COUNT_DISTINCT(source.geo.country_name),
-    Esql.source_`as`.organization.name.count_distinct = COUNT_DISTINCT(source.`as`.organization.name),
+    Esql.source_as_organization_name_count_distinct = COUNT_DISTINCT(source.`as`.organization.name),
     Esql.timestamp_first_seen = MIN(@timestamp),
     Esql.timestamp_last_seen = MAX(@timestamp),
     Esql.event_count = COUNT(*)
@@ -138,10 +138,10 @@ FROM logs-o365.audit-*
     Esql.o365_audit_ExtendedProperties_RequestType_values,
     Esql.source_ip_values,
     Esql.source_ip_count_distinct,
-    Esql.source_`as`.organization.name.values,
+    Esql.source_as_organization_name_values,
     Esql.source_geo_country_name_values,
     Esql.source_geo_country_name_count_distinct,
-    Esql.source_`as`.organization.name.count_distinct,
+    Esql.source_as_organization_name_count_distinct,
     Esql.timestamp_first_seen,
     Esql.timestamp_last_seen,
     Esql.event_duration_seconds,
diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_susp_oauth2_authorization.toml b/rules/integrations/o365/defense_evasion_microsoft_365_susp_oauth2_authorization.toml
@@ -94,7 +94,7 @@ FROM logs-o365.audit-*
     Esql.source_ip_count_distinct = COUNT_DISTINCT(source.ip),
     Esql.source_ip_values = VALUES(source.ip),
     Esql.o365_audit_ApplicationId_values = VALUES(o365.audit.ApplicationId),
-    Esql.source_`as`.organization.name.values = VALUES(source.`as`.organization.name),
+    Esql.source_as_organization_name_values = VALUES(source.`as`.organization.name),
     Esql.oauth_token_count_distinct = COUNT_DISTINCT(Esql.oauth_token_user_id_case),
     Esql.oauth_authorize_count_distinct = COUNT_DISTINCT(Esql.oauth_authorize_user_id_case)
   BY
@@ -107,7 +107,7 @@ FROM logs-o365.audit-*
     Esql.source_ip_values,
     Esql.source_ip_count_distinct,
     Esql.o365_audit_ApplicationId_values,
-    Esql.source_`as`.organization.name.values,
+    Esql.source_as_organization_name_values,
     Esql.oauth_token_count_distinct,
     Esql.oauth_authorize_count_distinct
 | WHERE
diff --git a/rules/linux/defense_evasion_base64_decoding_activity.toml b/rules/linux/defense_evasion_base64_decoding_activity.toml
@@ -110,7 +110,7 @@ FROM logs-endpoint.events.process-*
             process.args IN ("-d", "-base64", "-a")
         ) OR
         (
-            process.name RLIKE "^python.*" AND (
+            process.name LIKE "python*" AND (
                 (
                     process.args == "base64" AND
                     process.args IN ("-d", "-u", "-t")
@@ -123,11 +123,11 @@ FROM logs-endpoint.events.process-*
             )
         ) OR
         (
-            process.name RLIKE "^perl.*" AND
+            process.name LIKE "perl*" AND
             process.command_line LIKE "*decode_base64*"
         ) OR
         (
-            process.name RLIKE "^ruby.*" AND
+            process.name LIKE "ruby*" AND
             process.args == "-e" AND
             process.command_line LIKE "*Base64.decode64*"
         )
diff --git a/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml b/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml
@@ -102,16 +102,16 @@ FROM logs-endpoint.events.network-*
     event.type == "start" AND
     event.action == "connection_attempted"
 | STATS
-    Esql.connection_count = COUNT(),
+    Esql.event_count = COUNT(),
     Esql.destination_ip_count_distinct = COUNT_DISTINCT(destination.ip),
     Esql.agent_id_count_distinct = COUNT_DISTINCT(agent.id),
-    host.name.values = VALUES(host.name),
-    agent.id.values = VALUES(agent.id)
+    Esql.host_name_values = VALUES(host.name),
+    Esql.agent_id_values = VALUES(agent.id)
   BY process.executable
 | WHERE
     Esql.agent_id_count_distinct == 1 AND
     Esql.destination_ip_count_distinct > 250
-| SORT Esql.connection_count ASC
+| SORT Esql.event_count ASC
 | LIMIT 100
 
 '''
diff --git a/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml b/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml
@@ -104,8 +104,8 @@ FROM logs-endpoint.events.process-*
 | STATS
     Esql.event_count = COUNT(),
     Esql.agent_id_count_distinct = COUNT_DISTINCT(agent.id),
-    host.name.values = VALUES(host.name),
-    agent.id.values = VALUES(agent.id)
+    Esql.host_name_values = VALUES(host.name),
+    Esql.agent_id_values = VALUES(agent.id)
   BY process.executable, process.parent.executable, process.command_line
 | WHERE
     Esql.agent_id_count_distinct == 1 AND
diff --git a/rules/linux/impact_potential_bruteforce_malware_infection.toml b/rules/linux/impact_potential_bruteforce_malware_infection.toml
@@ -117,8 +117,8 @@ FROM logs-endpoint.events.network-*
 | STATS
     Esql.event_count = COUNT(),
     Esql.agent_id_count_distinct = COUNT_DISTINCT(agent.id),
-    host.name.values = VALUES(host.name),
-    agent.id.values = VALUES(agent.id)
+    Esql.host_name_values = VALUES(host.name),
+    Esql.agent_id_values = VALUES(agent.id)
   BY process.executable, destination.port
 | WHERE
     Esql.agent_id_count_distinct == 1 AND
diff --git a/rules/linux/persistence_web_server_sus_child_spawned.toml b/rules/linux/persistence_web_server_sus_child_spawned.toml
diff --git a/rules/linux/persistence_web_server_sus_command_execution.toml b/rules/linux/persistence_web_server_sus_command_execution.toml
diff --git a/rules/windows/credential_access_rare_webdav_destination.toml b/rules/windows/credential_access_rare_webdav_destination.toml
diff --git a/rules_building_block/persistence_web_server_sus_file_creation.toml b/rules_building_block/persistence_web_server_sus_file_creation.toml
