diff --git a/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml b/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml
index e2a5a73ca..2f85b8138 100644
--- a/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml
+++ b/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml
@@ -4,7 +4,7 @@ integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"]
 maturity = "production"
 min_stack_version = "9.2.0"
 min_stack_comments = "The esql url_decode() operator was introduced in version 9.2.0"
-updated_date = "2026/03/16"
+updated_date = "2026/03/19"
 
 [rule]
 author = ["Elastic"]
@@ -141,7 +141,7 @@ from
     Esql.url_original_url_decoded_to_lower,
     source.ip,
     agent.id,
-    host.name,
+    agent.name,
     http.request.method,
     http.response.status_code,
     event.dataset,
@@ -150,7 +150,7 @@ from
 | stats
     Esql.event_count = count(),
     Esql.url_original_url_decoded_to_lower_count_distinct = count_distinct(Esql.url_original_url_decoded_to_lower),
-    Esql.host_name_values = values(host.name),
+    Esql.agent_name_values = values(agent.name),
     Esql.agent_id_values = values(agent.id),
     Esql.http_request_method_values = values(http.request.method),
     Esql.http_response_status_code_values = values(http.response.status_code),
diff --git a/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml b/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml
index 42a22dc40..8ea0b32ea 100644
--- a/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml
+++ b/rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml
@@ -4,7 +4,7 @@ integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"]
 maturity = "production"
 min_stack_version = "9.2.0"
 min_stack_comments = "The esql url_decode() operator was introduced in version 9.2.0"
-updated_date = "2026/03/16"
+updated_date = "2026/03/19"
 
 [rule]
 author = ["Elastic"]
@@ -94,7 +94,7 @@ from
     Esql.url_original_url_decoded_to_lower,
     source.ip,
     agent.id,
-    host.name,
+    agent.name,
     http.request.method,
     http.response.status_code,
     event.dataset,
@@ -103,7 +103,7 @@ from
 | stats
     Esql.event_count = count(),
     Esql.url_original_url_decoded_to_lower_count_distinct = count_distinct(Esql.url_original_url_decoded_to_lower),
-    Esql.host_name_values = values(host.name),
+    Esql.agent_name_values = values(agent.name),
     Esql.agent_id_values = values(agent.id),
     Esql.http_request_method_values = values(http.request.method),
     Esql.http_response_status_code_values = values(http.response.status_code),
diff --git a/rules/cross-platform/persistence_web_server_potential_command_injection.toml b/rules/cross-platform/persistence_web_server_potential_command_injection.toml
index 285357951..e71c50e44 100644
--- a/rules/cross-platform/persistence_web_server_potential_command_injection.toml
+++ b/rules/cross-platform/persistence_web_server_potential_command_injection.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/11/19"
 integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"]
 maturity = "production"
-updated_date = "2026/03/16"
+updated_date = "2026/03/19"
 
 [rule]
 author = ["Elastic"]
@@ -115,7 +115,7 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
     http.request.method,
     http.response.status_code,
     user_agent.original,
-    host.name,
+    agent.name,
     event.dataset,
     data_stream.namespace
 
@@ -125,7 +125,7 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
 
     // General fields
 
-    Esql.host_name_values = values(host.name),
+    Esql.agent_name_values = values(agent.name),
     Esql.agent_id_values = values(agent.id),
     Esql.url_path_values = values(Esql.url_original_to_lower),
     Esql.http.response.status_code_values = values(http.response.status_code),
diff --git a/rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml b/rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml
index 91ee05cae..a21ef09d5 100644
--- a/rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml
+++ b/rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/11/19"
 integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"]
 maturity = "production"
-updated_date = "2026/03/16"
+updated_date = "2026/03/19"
 
 [rule]
 author = ["Elastic"]
@@ -78,14 +78,14 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
     http.response.status_code,
     source.ip,
     agent.id,
-    host.name,
+    agent.name,
     Esql.url_original_to_lower,
     data_stream.namespace
 
 | stats
     Esql.event_count = count(),
     Esql.url_original_count_distinct = count_distinct(Esql.url_original_to_lower),
-    Esql.host_name_values = values(host.name),
+    Esql.agent_name_values = values(agent.name),
     Esql.agent_id_values = values(agent.id),
     Esql.http_request_method_values = values(http.request.method),
     Esql.http_response_status_code_values = values(http.response.status_code),
diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml
index bc28da9bd..474e146dc 100644
--- a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml
+++ b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/11/19"
 integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"]
 maturity = "production"
-updated_date = "2026/03/16"
+updated_date = "2026/03/19"
 
 [rule]
 author = ["Elastic"]
@@ -84,7 +84,7 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
     http.response.status_code,
     source.ip,
     agent.id,
-    host.name,
+    agent.name,
     Esql.url_original_to_lower,
     data_stream.namespace
 
@@ -92,7 +92,7 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
     Esql.event_count = count(),
     Esql.http_response_status_code_count = count(http.response.status_code),
     Esql.http_response_status_code_values = values(http.response.status_code),
-    Esql.host_name_values = values(host.name),
+    Esql.agent_name_values = values(agent.name),
     Esql.agent_id_values = values(agent.id),
     Esql.http_request_method_values = values(http.request.method),
     Esql.http_response_status_code_values = values(http.response.status_code),
diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml b/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml
index 013aa8703..f98e838dc 100644
--- a/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml
+++ b/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/11/19"
 integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"]
 maturity = "production"
-updated_date = "2026/03/16"
+updated_date = "2026/03/19"
 
 [rule]
 author = ["Elastic"]
@@ -100,14 +100,14 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
     user_agent.original,
     source.ip,
     agent.id,
-    host.name,
+    agent.name,
     Esql.url_original_to_lower,
     Esql.user_agent_original_to_lower,
     data_stream.namespace
 | stats
     Esql.event_count = count(),
     Esql.url_original_count_distinct = count_distinct(Esql.url_original_to_lower),
-    Esql.host_name_values = values(host.name),
+    Esql.agent_name_values = values(agent.name),
     Esql.agent_id_values = values(agent.id),
     Esql.url_original_values = values(Esql.url_original_to_lower),
     Esql.user_agent_original_values = values(Esql.user_agent_original_to_lower),