diff --git a/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml b/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml
index ba1f3bf40..58054fcd6 100644
--- a/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml
+++ b/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/07/02"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ note = """
 ### Investigating AWS S3 Object Encryption Using External KMS Key
 
 This rule detects the use of an external AWS KMS key to encrypt objects within an S3 bucket. Adversaries with access to a misconfigured S3 bucket may use an external key to copy objects within a bucket and deny victims the ability to access their own data.
-This rule uses [ES|QL](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-esql-rule) to look for use of the `CopyObject` operation where the target bucket's `cloud.account.id` is different from the `key.account.id` dissected from the AWS KMS key used for encryption.
+This rule uses [ESQL](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-esql-rule) to look for use of the `CopyObject` operation where the target bucket's `cloud.account.id` is different from the `key.account.id` dissected from the AWS KMS key used for encryption.
 
 #### Possible Investigation Steps:
 
diff --git a/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml
index 9743dfd86..36c9ab1ca 100644
--- a/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml
+++ b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/06/13"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ note = """## Triage and analysis
 
 AWS access keys created for IAM users or root user are long-term credentials that provide programmatic access to AWS.
 With access to the `iam:CreateAccessKey` permission, a set of compromised credentials could be used to create a new
-set of credentials for another user for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-esql-rule)
+set of credentials for another user for privilege escalation or as a means of persistence. This rule uses [ESQL](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-esql-rule)
 to look for use of the `CreateAccessKey` operation where the user.name is different from the user.target.name.
 
 
diff --git a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml
index 2af357fbb..54972f450 100644
--- a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml
+++ b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/05/31"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ note = """## Triage and analysis
 
 The AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources.
 With access to the `iam:AttachGroupPolicy` permission, a set of compromised credentials could be used to attach
-this policy to the current user's groups for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-esql-rule)
+this policy to the current user's groups for privilege escalation or as a means of persistence. This rule uses [ESQL](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-esql-rule)
 to look for use of the `AttachGroupPolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.
 
 
diff --git a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml
index 3c8939f17..77254acc4 100644
--- a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml
+++ b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/05/31"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ note = """## Triage and analysis
 
 The AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources.
 With access to the `iam:AttachRolePolicy` permission, a set of compromised credentials could be used to attach
-this policy to a compromised role for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-esql-rule)
+this policy to a compromised role for privilege escalation or as a means of persistence. This rule uses [ESQL](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-esql-rule)
 to look for use of the `AttachRolePolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.
 
 
diff --git a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml
index 3f6e64b95..906e2d40b 100644
--- a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml
+++ b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/05/30"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,7 @@ note = """## Triage and analysis
 
 The AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources.
 With access to the `iam:AttachUserPolicy` permission, a set of compromised credentials could be used to attach
-this policy to the current user for privilege escalation or another user as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-esql-rule)
+this policy to the current user for privilege escalation or another user as a means of persistence. This rule uses [ESQL](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-esql-rule)
 to look for use of the `AttachUserPolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.
 
 
diff --git a/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml b/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml
index bf9ebf3df..bc84da897 100644
--- a/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml
+++ b/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml
@@ -2,9 +2,9 @@
 creation_date = "2024/09/06"
 integration = ["azure"]
 maturity = "production"
-min_stack_comments = "Elastic ES|QL values aggregation is more performant in 8.16.5 and above."
+min_stack_comments = "Elastic ESQL values aggregation is more performant in 8.16.5 and above."
 min_stack_version = "8.17.0"
-updated_date = "2025/07/02"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
diff --git a/rules/integrations/azure/initial_access_entra_graph_single_session_from_multiple_addresses.toml b/rules/integrations/azure/initial_access_entra_graph_single_session_from_multiple_addresses.toml
index 6e62d69af..6feacb31a 100644
--- a/rules/integrations/azure/initial_access_entra_graph_single_session_from_multiple_addresses.toml
+++ b/rules/integrations/azure/initial_access_entra_graph_single_session_from_multiple_addresses.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/05/08"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/07/02"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ This rule identifies when Microsoft Graph is accessed from a different IP than t
 but using the same session ID within 5 minutes. This may suggest an adversary has stolen a session cookie or refresh/access
 token and is impersonating the user from an alternate host or location.
 
-This rule uses ES|QL aggregations and thus has dynamically generated fields. Correlation of the values in the alert document may need to be
+This rule uses ESQL aggregations and thus has dynamically generated fields. Correlation of the values in the alert document may need to be
 performed to the original sign-in and Graph events for further context.
 
 ### Investigation Steps
diff --git a/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml b/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml
index 170338255..6976ee1c1 100644
--- a/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml
+++ b/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/02/19"
 integration = ["o365"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ note = """## Triage and Analysis
 
 This rule detects an excessive number of files downloaded from OneDrive using OAuth authentication. Threat actors may use OAuth phishing attacks, such as **Device Code Authentication phishing**, to obtain valid access tokens and perform unauthorized data exfiltration. This method allows adversaries to bypass traditional authentication mechanisms, making it a stealthy and effective technique.
 
-This rule leverages ES|QL aggregations which limit the field values available in the alert document. To investigate further, it is recommended to identify the original documents ingested.
+This rule leverages ESQL aggregations which limit the field values available in the alert document. To investigate further, it is recommended to identify the original documents ingested.
 
 #### Possible Investigation Steps
 
diff --git a/rules/integrations/o365/credential_access_microsoft_365_excessive_account_lockouts.toml b/rules/integrations/o365/credential_access_microsoft_365_excessive_account_lockouts.toml
index 203e8cc6f..b2cb4e271 100644
--- a/rules/integrations/o365/credential_access_microsoft_365_excessive_account_lockouts.toml
+++ b/rules/integrations/o365/credential_access_microsoft_365_excessive_account_lockouts.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/05/10"
 integration = ["o365"]
 maturity = "production"
-updated_date = "2025/07/02"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
@@ -20,7 +20,7 @@ note = """## Triage and Analysis
 
 Detects a burst of Microsoft 365 user account lockouts within a short 5-minute window. A high number of IdsLocked login errors across multiple user accounts may indicate brute-force attempts for the same users resulting in lockouts.
 
-This rule uses ES|QL aggregations and thus has dynamically generated fields. Correlation of the values in the alert document may need to be performed to the original sign-in and Graph events for further context.
+This rule uses ESQL aggregations and thus has dynamically generated fields. Correlation of the values in the alert document may need to be performed to the original sign-in and Graph events for further context.
 
 ### Investigation Steps
 
diff --git a/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml b/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml
index d3196e7b4..f1109e5cd 100644
--- a/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml
+++ b/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/11/08"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2025/07/02"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
@@ -22,7 +22,7 @@ note = """## Triage and analysis
 This rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a session to gain unauthorized access to Okta admin console, applications, tenants, or other resources.
 
 #### Possible investigation steps:
-- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.authentication_context.external_session_id` values can be used to pivot into the raw authentication events related to this alert.
+- Since this is an ESQL rule, the `okta.actor.alternate_id` and `okta.authentication_context.external_session_id` values can be used to pivot into the raw authentication events related to this alert.
 - Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.
 - Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.
 - With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.
diff --git a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml
index e7c7191b1..dd686b857 100644
--- a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml
+++ b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/06/17"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2025/07/02"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
@@ -26,7 +26,7 @@ note = """## Triage and analysis
 This rule detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.
 
 #### Possible investigation steps:
-Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.ip` values can be used to pivot into the raw authentication events related to this activity.
+Since this is an ESQL rule, the `okta.actor.alternate_id` and `okta.client.ip` values can be used to pivot into the raw authentication events related to this activity.
 - Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.
 - Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.
 - Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.
diff --git a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml
index d78f06345..799578c76 100644
--- a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml
+++ b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/06/17"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2025/07/02"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
@@ -26,7 +26,7 @@ note = """## Triage and analysis
 This rule detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.
 
 #### Possible investigation steps:
-- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.debug_context.debug_data.dt_hash` values can be used to pivot into the raw authentication events related to this activity.
+- Since this is an ESQL rule, the `okta.actor.alternate_id` and `okta.debug_context.debug_data.dt_hash` values can be used to pivot into the raw authentication events related to this activity.
 - Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.
 - Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.
 - Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.
diff --git a/rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml b/rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml
index d3164a325..a5f018981 100644
--- a/rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml
+++ b/rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/06/17"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2025/07/02"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
@@ -27,7 +27,7 @@ note = """## Triage and analysis
 This rule detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.
 
 #### Possible investigation steps:
-- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.ip` values can be used to pivot into the raw authentication events related to this activity.
+- Since this is an ESQL rule, the `okta.actor.alternate_id` and `okta.client.ip` values can be used to pivot into the raw authentication events related to this activity.
 - Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.
 - Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.
 - Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.
diff --git a/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml b/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml
index e301109a9..d4487daff 100644
--- a/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml
+++ b/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/11/18"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2025/07/02"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
@@ -24,7 +24,7 @@ note = """
 This rule detects when a specific Okta actor has multiple sessions started from different geolocations. Adversaries may attempt to launch an attack by using a list of known usernames and passwords to gain unauthorized access to user accounts from different locations.
 
 #### Possible investigation steps:
-- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.id` values can be used to pivot into the raw authentication events related to this alert.
+- Since this is an ESQL rule, the `okta.actor.alternate_id` and `okta.client.id` values can be used to pivot into the raw authentication events related to this alert.
 - Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.
 - Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.
 - With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.
diff --git a/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml b/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml
index 31c51e7b6..c62b74db0 100644
--- a/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml
+++ b/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml
@@ -2,14 +2,14 @@
 creation_date = "2025/02/20"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/04/07"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
 description = """
 This rule detects a high number of egress network connections from an unusual executable on a Linux system. This could
 indicate a command and control (C2) communication attempt, a brute force attack via a malware infection, or other
-malicious activity. ES|QL rules have limited fields available in its alert documents. Make sure to review the original
+malicious activity. ESQL rules have limited fields available in its alert documents. Make sure to review the original
 documents to aid in the investigation of this alert.
 """
 from = "now-61m"
diff --git a/rules/linux/defense_evasion_base64_decoding_activity.toml b/rules/linux/defense_evasion_base64_decoding_activity.toml
index 291b5e634..074373a34 100644
--- a/rules/linux/defense_evasion_base64_decoding_activity.toml
+++ b/rules/linux/defense_evasion_base64_decoding_activity.toml
@@ -2,14 +2,14 @@
 creation_date = "2025/02/21"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/04/07"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
 description = """
-This rule leverages ES|QL to detect unusual base64 encoding/decoding activity on Linux systems. Attackers may use base64
+This rule leverages ESQL to detect unusual base64 encoding/decoding activity on Linux systems. Attackers may use base64
 encoding/decoding to obfuscate data, such as command and control traffic or payloads, to evade detection by host- or
-network-based security controls. ES|QL rules have limited fields available in its alert documents. Make sure to review
+network-based security controls. ESQL rules have limited fields available in its alert documents. Make sure to review
 the original documents to aid in the investigation of this alert.
 """
 from = "now-61m"
diff --git a/rules/linux/discovery_port_scanning_activity_from_compromised_host.toml b/rules/linux/discovery_port_scanning_activity_from_compromised_host.toml
index 5b0e0cc6d..b31aa56d3 100644
--- a/rules/linux/discovery_port_scanning_activity_from_compromised_host.toml
+++ b/rules/linux/discovery_port_scanning_activity_from_compromised_host.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/03/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/04/07"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ This rule detects potential port scanning activity from a compromised host. Port
 technique used by attackers to identify open ports and services on a target system. A compromised host may exhibit port
 scanning behavior when an attacker is attempting to map out the network topology, identify vulnerable services, or
 prepare for further exploitation. This rule identifies potential port scanning activity by monitoring network connection
-attempts from a single host to a large number of ports within a short time frame. ES|QL rules have limited fields
+attempts from a single host to a large number of ports within a short time frame. ESQL rules have limited fields
 available in its alert documents. Make sure to review the original documents to aid in the investigation of this alert.
 """
 from = "now-61m"
diff --git a/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml b/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml
index 1e13ae504..4e5da31b1 100644
--- a/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml
+++ b/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/03/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/04/07"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ This rule detects potential subnet scanning activity from a compromised host. Su
 technique used by attackers to identify live hosts within a network range. A compromised host may exhibit subnet
 scanning behavior when an attacker is attempting to map out the network topology, identify vulnerable hosts, or prepare
 for further exploitation. This rule identifies potential subnet scanning activity by monitoring network connection
-attempts from a single host to a large number of hosts within a short time frame. ES|QL rules have limited fields
+attempts from a single host to a large number of hosts within a short time frame. ESQL rules have limited fields
 available in its alert documents. Make sure to review the original documents to aid in the investigation of this alert.
 """
 from = "now-61m"
diff --git a/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml b/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml
index f35209289..0ec94a90c 100644
--- a/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml
+++ b/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml
@@ -2,13 +2,13 @@
 creation_date = "2025/02/21"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/04/07"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
 description = """
-This rule leverages ES|QL to detect the execution of unusual file transfer utilities on Linux systems. Attackers may use
-these utilities to exfiltrate data from a compromised system. ES|QL rules have limited fields available in its alert
+This rule leverages ESQL to detect the execution of unusual file transfer utilities on Linux systems. Attackers may use
+these utilities to exfiltrate data from a compromised system. ESQL rules have limited fields available in its alert
 documents. Make sure to review the original documents to aid in the investigation of this alert.
 """
 from = "now-61m"
diff --git a/rules/linux/impact_potential_bruteforce_malware_infection.toml b/rules/linux/impact_potential_bruteforce_malware_infection.toml
index ff69827b6..859f717df 100644
--- a/rules/linux/impact_potential_bruteforce_malware_infection.toml
+++ b/rules/linux/impact_potential_bruteforce_malware_infection.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/02/20"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/04/07"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ brute-force attacks against external systems over SSH (port 22 and common altern
 for a high volume of outbound connection attempts to non-private IP addresses from a single process. A compromised host
 may be part of a botnet or controlled by an attacker, attempting to gain unauthorized access to remote systems. This
 behavior is commonly observed in SSH brute-force campaigns where malware hijacks vulnerable machines to expand its
-attack surface. ES|QL rules have limited fields available in its alert documents. Make sure to review the original
+attack surface. ESQL rules have limited fields available in its alert documents. Make sure to review the original
 documents to aid in the investigation of this alert.
 """
 from = "now-61m"
diff --git a/rules/linux/persistence_web_server_sus_child_spawned.toml b/rules/linux/persistence_web_server_sus_child_spawned.toml
index 6f6761906..01e65c1d0 100644
--- a/rules/linux/persistence_web_server_sus_child_spawned.toml
+++ b/rules/linux/persistence_web_server_sus_child_spawned.toml
@@ -2,14 +2,14 @@
 creation_date = "2025/03/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/04/07"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
 description = """
 This rule detects unusual processes spawned from a web server parent process by identifying low frequency counts of
 process spawning activity. Unusual process spawning activity may indicate an attacker attempting to establish
-persistence, execute malicious commands, or establish command and control channels on the host system. ES|QL rules have
+persistence, execute malicious commands, or establish command and control channels on the host system. ESQL rules have
 limited fields available in its alert documents. Make sure to review the original documents to aid in the investigation
 of this alert.
 """
diff --git a/rules/linux/persistence_web_server_sus_command_execution.toml b/rules/linux/persistence_web_server_sus_command_execution.toml
index 604bb77bc..2c796ccc7 100644
--- a/rules/linux/persistence_web_server_sus_command_execution.toml
+++ b/rules/linux/persistence_web_server_sus_command_execution.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/03/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/04/07"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ This rule detects potential command execution from a web server parent process o
 to execute commands from a web server parent process to blend in with normal web server activity and evade detection.
 This behavior is commonly observed in web shell attacks where adversaries exploit web server vulnerabilities to execute
 arbitrary commands on the host. The detection rule identifies unusual command execution from web server parent
-processes, which may indicate a compromised host or an ongoing attack. ES|QL rules have limited fields available in its
+processes, which may indicate a compromised host or an ongoing attack. ESQL rules have limited fields available in its
 alert documents. Make sure to review the original documents to aid in the investigation of this alert.
 """
 from = "now-61m"