[Rule Tuning] Interval fix + Datastream values to ESQL Rules (#5413)

* [Rule Tuning] Interval fix + Datastream values to ESQL Rules

* Update persistence_web_server_potential_command_injection.toml

rules/cross-platform/persistence_web_server_potential_command_injection.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/11/19"
 integration = ["nginx", "apache", "apache_tomcat", "iis"]
 maturity = "production"
-updated_date = "2025/12/01"
+updated_date = "2025/12/05"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ applications to inject and execute arbitrary commands on the server, often using
 PHP, or shell commands. By monitoring for these indicators in web traffic, security teams can identify and respond to
 potential threats early.
 """
-from = "now-9m"
+from = "now-11m"
 interval = "10m"
 language = "esql"
 license = "Elastic License v2"
@@ -115,7 +115,8 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
     http.response.status_code,
     user_agent.original,
     host.name,
-    event.dataset
+    event.dataset,
+    data_stream.namespace
 
 | stats
     Esql.event_count = count(),
@@ -129,6 +130,7 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
     Esql.http.response.status_code_values = values(http.response.status_code),
     Esql.user_agent_original_values = values(user_agent.original),
     Esql.event_dataset_values = values(event.dataset),
+    Esql.data_stream_namespace_values = values(data_stream.namespace),
 
     // Rule Specific fields
     Esql.any_payload_keyword_max = max(Esql.any_payload_keyword),