diff --git a/detection_rules/etc/beats_schemas/main.json.gz b/detection_rules/etc/beats_schemas/main.json.gz
index cfd658fed..b0033e71d 100644
Binary files a/detection_rules/etc/beats_schemas/main.json.gz and b/detection_rules/etc/beats_schemas/main.json.gz differ
diff --git a/detection_rules/etc/beats_schemas/v9.3.4.json.gz b/detection_rules/etc/beats_schemas/v9.3.4.json.gz
new file mode 100644
index 000000000..24380c5c1
Binary files /dev/null and b/detection_rules/etc/beats_schemas/v9.3.4.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz
index f91eb552c..771256dca 100644
Binary files a/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz
index 557b4ce41..f4863a26f 100644
Binary files a/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz
index 572e283ab..8fce2d01c 100644
Binary files a/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz
index 7fe170ced..406174a93 100644
Binary files a/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz
index 0b61dfb07..2d932f305 100644
Binary files a/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz
index 03a5ab6f9..1d4523eab 100644
Binary files a/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz
index b265d862d..ad4d3811b 100644
Binary files a/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz
index 79cafb147..7bf308374 100644
Binary files a/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz
index 0b6bf515b..a37735d6c 100644
Binary files a/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz
index 41310dc5b..03c968111 100644
Binary files a/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz
index 6fdab0a62..565cbbca6 100644
Binary files a/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz
index 779a634a4..df0c5f6d2 100644
Binary files a/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz
index f1936f05b..e06a18ffb 100644
Binary files a/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz
index 7932a2ecf..1e896caf6 100644
Binary files a/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz
index 6e356e750..852bf7251 100644
Binary files a/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz
index 99b4d18d0..c7628178d 100644
Binary files a/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz
index 7218ff04b..2082a3b72 100644
Binary files a/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz
index f3546c8f5..0a3481b4a 100644
Binary files a/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz
index 444cc41fe..9655be99a 100644
Binary files a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz
index ecba8dc07..18fa2fed1 100644
Binary files a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz
index b7d20d3fb..b52392f76 100644
Binary files a/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz
index ec6fd293e..7cf8ca8a3 100644
Binary files a/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz
index e962806dd..cf970e0d7 100644
Binary files a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz
index 272726730..3ff12955d 100644
Binary files a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz
index 609c6d7fc..54a0640b9 100644
Binary files a/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz
index 0e56ff2bf..61d7ac40b 100644
Binary files a/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz
index d16e23447..a95145cd4 100644
Binary files a/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz
index cd14c2198..6a3f00337 100644
Binary files a/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz
index 1a8965bfb..c7fbfe0c5 100644
Binary files a/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz
index a234a3da8..7c27cbf1b 100644
Binary files a/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz
index 5c42efb1d..c4630b6ee 100644
Binary files a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz
index 1631400ef..cbc94cf3b 100644
Binary files a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz
index 6496d19ee..cf60e6bb6 100644
Binary files a/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz
index 7092c1deb..8f80d3642 100644
Binary files a/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz
index b921a37c8..cae649946 100644
Binary files a/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz
index a5609e100..f8097bf50 100644
Binary files a/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz
index 621c00447..51f807f66 100644
Binary files a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz
index 10b420a12..824692c42 100644
Binary files a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz
index 9bd652022..4922380bc 100644
Binary files a/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz
index f38a20b93..6aadfb9db 100644
Binary files a/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz
index 7388a7467..435bf845b 100644
Binary files a/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz
index 95c7d7f9a..64b8f2b95 100644
Binary files a/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz
index 56ea0990a..6b47044d9 100644
Binary files a/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz
index 7e1b0b584..d117d4287 100644
Binary files a/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz
index 83d17f686..58367cc4f 100644
Binary files a/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz
index 685a52367..0d04c2dbd 100644
Binary files a/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz
index d7d9c9e78..ee97c4dbe 100644
Binary files a/detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz
index d47b89057..8671d3802 100644
Binary files a/detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/9.1.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.1.0/ecs_flat.json.gz
index c83c0c11d..1c78100be 100644
Binary files a/detection_rules/etc/ecs_schemas/9.1.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.1.0/ecs_flat.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/9.1.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.1.0/ecs_nested.json.gz
index dd09c7c7a..38fa16cc2 100644
Binary files a/detection_rules/etc/ecs_schemas/9.1.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.1.0/ecs_nested.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_flat.json.gz
index 3116aa8c1..fa32e881f 100644
Binary files a/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_flat.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_nested.json.gz
index 848dc4373..485948d09 100644
Binary files a/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_nested.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/9.2.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.2.0/ecs_flat.json.gz
index 03bac894c..d85f749e0 100644
Binary files a/detection_rules/etc/ecs_schemas/9.2.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.2.0/ecs_flat.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/9.2.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.2.0/ecs_nested.json.gz
index bd39bcf96..2c92c6142 100644
Binary files a/detection_rules/etc/ecs_schemas/9.2.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.2.0/ecs_nested.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/9.3.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.3.0-rc1/ecs_flat.json.gz
index 1f5d46621..613d79d96 100644
Binary files a/detection_rules/etc/ecs_schemas/9.3.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.3.0-rc1/ecs_flat.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/9.3.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.3.0-rc1/ecs_nested.json.gz
index 497c9f8ca..a1761f2c4 100644
Binary files a/detection_rules/etc/ecs_schemas/9.3.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.3.0-rc1/ecs_nested.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/9.3.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.3.0/ecs_flat.json.gz
index aa93b0ffd..a837c4fa9 100644
Binary files a/detection_rules/etc/ecs_schemas/9.3.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.3.0/ecs_flat.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/9.3.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.3.0/ecs_nested.json.gz
index f26d8241a..0b7837c9e 100644
Binary files a/detection_rules/etc/ecs_schemas/9.3.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.3.0/ecs_nested.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/9.4.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.4.0-rc1/ecs_flat.json.gz
index a32fe24a7..5a9361621 100644
Binary files a/detection_rules/etc/ecs_schemas/9.4.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.4.0-rc1/ecs_flat.json.gz differ
diff --git a/detection_rules/etc/ecs_schemas/9.4.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.4.0-rc1/ecs_nested.json.gz
index a3b3b0e00..b84b3889e 100644
Binary files a/detection_rules/etc/ecs_schemas/9.4.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.4.0-rc1/ecs_nested.json.gz differ
diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz
index b4664f048..7b4995b07 100644
Binary files a/detection_rules/etc/integration-manifests.json.gz and b/detection_rules/etc/integration-manifests.json.gz differ
diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz
index d43100d67..e006d6555 100644
Binary files a/detection_rules/etc/integration-schemas.json.gz and b/detection_rules/etc/integration-schemas.json.gz differ
diff --git a/detection_rules/etc/stack-schema-map.yaml b/detection_rules/etc/stack-schema-map.yaml
index a532c8585..7b8c539f0 100644
--- a/detection_rules/etc/stack-schema-map.yaml
+++ b/detection_rules/etc/stack-schema-map.yaml
@@ -150,11 +150,11 @@
   endgame: "8.4.0"
 
 "9.4.0":
-  beats: "9.3.3"
+  beats: "9.3.4"
   ecs: "9.4.0-rc1"
   endgame: "8.4.0"
 
 "9.5.0":
-  beats: "9.3.3"
+  beats: "9.3.4"
   ecs: "9.4.0-rc1"
   endgame: "8.4.0"
\ No newline at end of file
diff --git a/pyproject.toml b/pyproject.toml
index 60d9411e4..2774b1692 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.6.31"
+version = "1.6.32"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"
diff --git a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml
index e79f71949..ccfb2ce64 100644
--- a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml
+++ b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/08/18"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2026/04/21"
+updated_date = "2026/05/04"
 
 [rule]
 author = ["Elastic"]
@@ -26,6 +26,28 @@ index = [
 language = "eql"
 license = "Elastic License v2"
 name = "Microsoft IIS Service Account Password Dumped"
+note = """ ## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Microsoft IIS Service Account Password Dumped
+
+This rule detects the IIS administration utility being launched to print full web server configuration or credential-bearing settings, which can expose application pool usernames, passwords, and connection strings in clear text. An attacker who lands on a Windows web server through a web shell can run the tool to enumerate process model settings, recover the service account password, and reuse those credentials for lateral movement or deeper access to backend systems.
+
+### Possible investigation steps
+
+- Review the process tree, executing user, logon session, integrity level, and remote-interactive context to determine whether the command was launched by an authorized administrator, a scripted maintenance task, or through a suspicious parent such as cmd.exe, powershell.exe, w3wp.exe, or a web shell.
+- Build a short timeline on the host around the execution to identify adjacent discovery or credential-access activity, including archive or encode tools, file staging in web directories, registry access, and outbound connections to unusual internal or external destinations.
+- Inspect recent IIS and web server activity for signs of exploitation, such as requests to newly created ASPX or PHP files, requests containing command-execution parameters, uploads to writable web paths, or authentication bypass behavior preceding the event.
+- Determine which application pools, virtual directories, or connection strings were exposed, then review subsequent authentication and service activity for the recovered account on other systems to spot lateral movement, privilege escalation, or access to databases and file shares.
+- If the activity is unauthorized, preserve the relevant IIS configuration and web content for forensics, search the environment for the same account or host communicating elsewhere, and prioritize password rotation for affected service accounts and secrets.
+
+### False positive analysis
+
+- An IIS administrator may legitimately run AppCmd to review application pool identities or troubleshoot authentication issues, so verify the command aligns with an approved maintenance window or change request and was launched by an expected administrative account.
+- A scheduled server administration script may enumerate full IIS configuration or connection strings during backup, migration validation, or configuration auditing, so confirm the parent process and execution time match a known scheduled task or recurring maintenance pattern and that no suspicious follow-on activity occurred.
+"""
 references = ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"]
 risk_score = 21
 rule_id = "0564fb9d-90b9-4234-a411-82a546dc1343"
@@ -42,6 +64,7 @@ tags = [
     "Data Source: Sysmon",
     "Data Source: SentinelOne",
     "Data Source: Crowdstrike",
+    "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
 type = "eql"