diff --git a/rules/cross-platform/persistence_web_server_potential_command_injection.toml b/rules/cross-platform/persistence_web_server_potential_command_injection.toml
index 48f009177..9d4d87b10 100644
--- a/rules/cross-platform/persistence_web_server_potential_command_injection.toml
+++ b/rules/cross-platform/persistence_web_server_potential_command_injection.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/11/19"
 integration = ["nginx", "apache", "apache_tomcat", "iis"]
 maturity = "production"
-updated_date = "2025/12/01"
+updated_date = "2025/12/05"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ applications to inject and execute arbitrary commands on the server, often using
 PHP, or shell commands. By monitoring for these indicators in web traffic, security teams can identify and respond to
 potential threats early.
 """
-from = "now-9m"
+from = "now-11m"
 interval = "10m"
 language = "esql"
 license = "Elastic License v2"
@@ -115,7 +115,8 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
     http.response.status_code,
     user_agent.original,
     host.name,
-    event.dataset
+    event.dataset,
+    data_stream.namespace
 
 | stats
     Esql.event_count = count(),
@@ -129,6 +130,7 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
     Esql.http.response.status_code_values = values(http.response.status_code),
     Esql.user_agent_original_values = values(user_agent.original),
     Esql.event_dataset_values = values(event.dataset),
+    Esql.data_stream_namespace_values = values(data_stream.namespace),
 
     // Rule Specific fields
     Esql.any_payload_keyword_max = max(Esql.any_payload_keyword),
diff --git a/rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml b/rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml
index df9b5d8b4..0565c4ae3 100644
--- a/rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml
+++ b/rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/11/19"
 integration = ["nginx", "apache", "apache_tomcat", "iis"]
 maturity = "production"
-updated_date = "2025/12/01"
+updated_date = "2025/12/05"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ This rule detects potential web server discovery or fuzzing activity by identify
 in 404 or 403 status codes from a single source IP address within a short timeframe. Such patterns may indicate that an attacker
 is attempting to discover hidden or unlinked resources on a web server, which can be a precursor to more targeted attacks.
 """
-from = "now-9m"
+from = "now-11m"
 interval = "10m"
 language = "esql"
 license = "Elastic License v2"
@@ -78,7 +78,9 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
     source.ip,
     agent.id,
     host.name,
-    Esql.url_original_to_lower
+    Esql.url_original_to_lower,
+    data_stream.namespace
+
 | stats
     Esql.event_count = count(),
     Esql.url_original_count_distinct = count_distinct(Esql.url_original_to_lower),
@@ -87,7 +89,8 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
     Esql.http_request_method_values = values(http.request.method),
     Esql.http_response_status_code_values = values(http.response.status_code),
     Esql.url_original_values = values(Esql.url_original_to_lower),
-    Esql.event_dataset_values = values(event.dataset)
+    Esql.event_dataset_values = values(event.dataset),
+    Esql.data_stream_namespace_values = values(data_stream.namespace)
     by source.ip
 | where
   Esql.event_count > 500 and Esql.url_original_count_distinct > 250
diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml
index aa1d8d192..6e1a85094 100644
--- a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml
+++ b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/11/19"
 integration = ["nginx", "apache", "apache_tomcat", "iis"]
 maturity = "production"
-updated_date = "2025/12/01"
+updated_date = "2025/12/05"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ as vulnerability scanning or fuzzing attempts by adversaries. These activities o
 responses as they probe for weaknesses in web applications. Error response codes may potentially indicate server-side
 issues that could be exploited.
 """
-from = "now-9m"
+from = "now-11m"
 interval = "10m"
 language = "esql"
 license = "Elastic License v2"
@@ -71,13 +71,16 @@ from logs-nginx.error-*, logs-apache_tomcat.error-*, logs-apache.error-*, logs-i
     event.dataset,
     source.ip,
     agent.id,
-    host.name
+    host.name,
+    data_stream.namespace
+
 | where source.ip is not null
 | stats
     Esql.event_count = count(),
     Esql.host_name_values = values(host.name),
     Esql.agent_id_values = values(agent.id),
-    Esql.event_dataset_values = values(event.dataset)
+    Esql.event_dataset_values = values(event.dataset),
+    Esql.data_stream_namespace_values = values(data_stream.namespace)
     by source.ip, agent.id
 | where
     Esql.event_count > 50
diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml
index 3a8f67abd..54edd8307 100644
--- a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml
+++ b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/11/19"
 integration = ["nginx", "apache", "apache_tomcat", "iis"]
 maturity = "production"
-updated_date = "2025/12/01"
+updated_date = "2025/12/05"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ reconnaissance activities such as vulnerability scanning or fuzzing attempts by
 generate a high volume of error responses as they probe for weaknesses in web applications. Error response codes
 may potentially indicate server-side issues that could be exploited.
 """
-from = "now-9m"
+from = "now-11m"
 interval = "10m"
 language = "esql"
 license = "Elastic License v2"
@@ -84,7 +84,9 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
     source.ip,
     agent.id,
     host.name,
-    Esql.url_original_to_lower
+    Esql.url_original_to_lower,
+    data_stream.namespace
+
 | stats
     Esql.event_count = count(),
     Esql.http_response_status_code_count = count(http.response.status_code),
@@ -94,7 +96,8 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
     Esql.http_request_method_values = values(http.request.method),
     Esql.http_response_status_code_values = values(http.response.status_code),
     Esql.url_path_values = values(Esql.url_original_to_lower),
-    Esql.event_dataset_values = values(event.dataset)
+    Esql.event_dataset_values = values(event.dataset),
+    Esql.data_stream_namespace_values = values(data_stream.namespace)
     by source.ip, agent.id
 | where
     Esql.http_response_status_code_count > 10
diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml b/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml
index 3c8e9d93a..4eaf73c5e 100644
--- a/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml
+++ b/rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/11/19"
 integration = ["nginx", "apache", "apache_tomcat", "iis"]
 maturity = "production"
-updated_date = "2025/12/01"
+updated_date = "2025/12/05"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ This rule detects unusual spikes in web server requests with uncommon or suspici
 indicate reconnaissance attempts by attackers trying to identify vulnerabilities in web applications or servers. These
 user-agents are often associated with automated tools used for scanning, vulnerability assessment, or brute-force attacks.
 """
-from = "now-9m"
+from = "now-11m"
 interval = "10m"
 language = "esql"
 license = "Elastic License v2"
@@ -101,7 +101,8 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
     agent.id,
     host.name,
     Esql.url_original_to_lower,
-    Esql.user_agent_original_to_lower
+    Esql.user_agent_original_to_lower,
+    data_stream.namespace
 | stats
     Esql.event_count = count(),
     Esql.url_original_count_distinct = count_distinct(Esql.url_original_to_lower),
@@ -109,7 +110,8 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
     Esql.agent_id_values = values(agent.id),
     Esql.url_original_values = values(Esql.url_original_to_lower),
     Esql.user_agent_original_values = values(Esql.user_agent_original_to_lower),
-    Esql.event_dataset_values = values(event.dataset)
+    Esql.event_dataset_values = values(event.dataset),
+    Esql.data_stream_namespace_values = values(data_stream.namespace)
     by source.ip, agent.id
 | where
     Esql.event_count > 50 and Esql.url_original_count_distinct > 10