[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)

* [Rule Tuning] Change event.dataset to data_stream.dataset

* updating ESQL field names

rules/linux/persistence_web_server_sus_command_execution.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/03/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/10"
 
 [rule]
 author = ["Elastic"]
@@ -150,7 +150,7 @@ from logs-endpoint.events.process-* metadata _id, _index, _version
     process.parent.executable,
     agent.id,
     host.name,
-    event.dataset,
+    data_stream.dataset,
     data_stream.namespace
 
 | stats
@@ -158,7 +158,7 @@ from logs-endpoint.events.process-* metadata _id, _index, _version
     Esql.agent_id_count_distinct = count_distinct(agent.id),
     Esql.host_name_values = values(host.name),
     Esql.agent_id_values = values(agent.id),
-    Esql.event_dataset_values = values(event.dataset),
+    Esql.data_stream_dataset_values = values(data_stream.dataset),
     Esql.data_stream_namespace_values = values(data_stream.namespace)
 
   by process.command_line, process.working_directory, process.parent.executable