[Rule Tuning] Add Host Metadata to ES|QL Aggregation Rules (#4592)

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

rules/linux/persistence_web_server_sus_command_execution.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/03/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/04/03"
 
 [rule]
 author = ["Elastic"]
@@ -61,7 +61,7 @@ type = "esql"
 
 query = '''
 from logs-endpoint.events.process-*
-| keep @timestamp, host.os.type, event.type, event.action, process.parent.name, user.name, user.id, process.working_directory, process.name, process.command_line, process.parent.executable, agent.id
+| keep @timestamp, host.os.type, event.type, event.action, process.parent.name, user.name, user.id, process.working_directory, process.name, process.command_line, process.parent.executable, agent.id, host.name
 | where @timestamp > now() - 1 hours
 | where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
   process.parent.name in (
@@ -87,7 +87,7 @@ from logs-endpoint.events.process-*
   process.parent.executable like "/vscode/vscode-server/*" or
   process.parent.executable == "/usr/bin/xfce4-terminal"
 )
-| stats cc = count(), agent_count = count_distinct(agent.id) by process.command_line, process.working_directory, process.parent.executable
+| stats cc = count(), agent_count = count_distinct(agent.id), host.name = VALUES(host.name), agent.id = VALUES(agent.id) by process.command_line, process.working_directory, process.parent.executable
 | where agent_count == 1 and cc < 5
 | sort cc asc
 | limit 100