[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)

* [Rule Tuning] Change event.dataset to data_stream.dataset * updating ESQL field names
2026-04-10 12:27:52 -04:00
parent 9736407ef3
commit deab1c0161
472 changed files with 1022 additions and 1022 deletions
@@ -2,7 +2,7 @@
 creation_date = "2026/03/26"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2026/04/06"
+updated_date = "2026/04/10"

 [rule]
 author = ["Elastic"]
@@ -98,7 +98,7 @@ FROM logs-endpoint.events.process-* METADATA _id, _version, _index
    process.parent.entity_id,
    agent.id,
    host.name,
-    event.dataset,
+    data_stream.dataset,
    data_stream.namespace

 | STATS
@@ -107,7 +107,7 @@ FROM logs-endpoint.events.process-* METADATA _id, _version, _index
  Esql.process_command_line_values = VALUES(process.command_line),
  Esql.host_name_values = values(host.name),
  Esql.agent_id_values = values(agent.id),
-  Esql.event_dataset_values = values(event.dataset),
+  Esql.data_stream_dataset_values = values(data_stream.dataset),
  Esql.data_stream_namespace_values = values(data_stream.namespace)
  BY process.parent.entity_id, agent.id, host.name, Esql.time_window_date_trunc