[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)

* [Rule Tuning] Change event.dataset to data_stream.dataset

* updating ESQL field names

rules/linux/execution_executable_stack_execution.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/01/07"
 integration = ["system"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/10"
 
 [rule]
 author = ["Elastic"]
@@ -50,7 +50,7 @@ tags = [
 timestamp_override = "event.ingested"
 type = "query"
 query = '''
-host.os.type:"linux" and event.dataset:"system.syslog" and process.name:"kernel" and
+host.os.type:"linux" and data_stream.dataset:"system.syslog" and process.name:"kernel" and
 message:"started with executable stack"
 '''
 note = """## Triage and analysis