[Rule Tuning] ESQL Query Field Dynamic Field Standardization

## Align ESQL Queries with Field Naming Guidelines

### Summary

This issue tracks updates to existing ESQL-based detection rules to align with the new field naming guidelines established by the TRADE team.

### Objective

Ensure all dynamic or transformed fields in prebuilt ESQL rules follow the approved `esql.` prefixing convention and related guardrails to improve clarity, maintainability, and telemetry support.

### Tasks

- [x] Audit existing ESQL rules for field naming inconsistencies
- [x] Apply `esql.` prefix to all dynamic or transformed fields
- [x] Preserve original ECS or integration field paths when transformed
- [x] Use `.count`, `.avg`, `.hash`, etc. suffixes for `stats` and other processing commands
- [x] Avoid overwriting ECS field names with transformed values
- [x] Apply consistent naming for all field-generating commands (`eval`, `stats`, `grok`, `dissect`, `mv_`, `rename`, etc.)

### Rules to Review

- [x] [Potential Widespread Malware Infection Across Multiple Hosts](https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/execution_potential_widespread_malware_infection.toml)
- [x] [Microsoft Azure or Mail Sign-in from a Suspicious Source](https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml)
- [x] [AWS EC2 Multi-Region DescribeInstances API Calls](https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml)
- [x] [AWS Discovery API Calls via CLI from a Single Resource](https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_ec2_multiple_discovery_api_calls_via_cli.toml)
- [x] [AWS Service Quotas Multi-Region `GetServiceQuota` Requests](https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/discovery_servicequotas_multi_region_service_quota_requests.toml)
- [x] [AWS EC2 EBS Snapshot Shared or Made Public](https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml)
- [x] [AWS S3 Bucket Enumeration or Brute Force](https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml)
- [x] [AWS EC2 EBS Snapshot Access Removed](https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/impact_ec2_ebs_snapshot_access_removed.toml)
- [x] [Potential AWS S3 Bucket Ransomware Note Uploaded](https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_extension.toml)
- [x] [AWS S3 Object Encryption Using External KMS Key](https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/impact_s3_object_encryption_with_external_key.toml)
- [x] [AWS S3 Static Site JavaScript File Uploaded](https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/impact_s3_static_site_js_file_uploaded.toml)
- [x] [AWS Access Token Used from Multiple Addresses](https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml)
- [x] [AWS Signin Single Factor Console Login with Federated User](https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/initial_access_signin_console_login_no_mfa.toml)
- [x] [AWS IAM Login Profile Added for Root](https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/persistence_iam_create_login_profile_for_root.toml) - No Change Needed
- [x] [AWS IAM User Created Access Keys For Another User](https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml) - No Change Needed
- [x] [AWS IAM AdministratorAccess Policy Attached to Group](https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml)
- [x] [AWS IAM AdministratorAccess Policy Attached to Role](https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml)
- [x] [AWS IAM AdministratorAccess Policy Attached to User](https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml)
- [x] [AWS STS Role Chaining](https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/privilege_escalation_sts_role_chaining.toml) - No Change Needed
- [x] [AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session](https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws_bedrock/aws_bedrock_execution_without_guardrails.toml)
- [x] [AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session](https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_by_single_user.toml)
- [x] [AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request](https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_in_single_request.toml)
- [x] [Unusual High Confidence Content Filter Blocks Detected](https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml)
- [x] [Potential Abuse of Resources by High Token Count and Large Response Sizes](https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws_bedrock/aws_bedrock_high_resource_consumption_detection.toml)
- [x] [AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User](https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws_bedrock/aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml)
- [x] [Unusual High Denied Sensitive Information Policy Blocks Detected](https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws_bedrock/aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml)
- [x] [Unusual High Denied Topic Blocks Detected](https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws_bedrock/aws_bedrock_multiple_topic_policy_blocks_detected.toml)
- [x] [AWS Bedrock Detected Multiple Validation Exception Errors by a Single User](https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws_bedrock/aws_bedrock_multiple_validation_exception_errors_by_single_user.toml)
- [x] [Unusual High Word Policy Blocks Detected](https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws_bedrock/aws_bedrock_multiple_word_policy_blocks_detected.toml)
- [x] [Microsoft Entra ID Concurrent Sign-Ins with Suspicious Properties](https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_azure_entra_suspicious_signin.toml)
- [x] [Azure Entra MFA TOTP Brute Force Attempts](https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_azure_entra_totp_brute_force_attempts.toml)
- [x] [Microsoft Entra ID Sign-In Brute Force Activity](https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml)
- [x] [Microsoft Entra ID Exccessive Account Lockouts Detected](https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml)
- [x] [Microsoft 365 Brute Force via Entra ID Sign-Ins](https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml)
- [x] [Deprecated - Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source](https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml) - Deprecated
- [x] [Microsoft Entra ID Session Reuse with Suspicious Graph Access](https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/initial_access_entra_graph_single_session_from_multiple_addresses.toml)
- [x] [Suspicious Microsoft OAuth Flow via Auth Broker to DRS](https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml)
- [x] [Potential Denial of Azure OpenAI ML Service](https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure_openai/azure_openai_denial_of_ml_service_detection.toml)
- [x] [Azure OpenAI Insecure Output Handling](https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure_openai/azure_openai_insecure_output_handling_detection.toml)
- [x] [Potential Azure OpenAI Model Theft](https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure_openai/azure_openai_model_theft_detection.toml)
- [x] [M365 OneDrive Excessive File Downloads with OAuth Token](https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml)
- [x] [Multiple Microsoft 365 User Account Lockouts in Short Time Window](https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/credential_access_microsoft_365_excessive_account_lockouts.toml)
- [x] [Potential Microsoft 365 User Account Brute Force](https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/credential_access_microsoft_365_potential_user_account_brute_force.toml)
- [x] [Suspicious Microsoft 365 UserLoggedIn via OAuth Code](https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/defense_evasion_microsoft_365_susp_oauth2_authorization.toml)
- [x] [Multiple Device Token Hashes for Single Okta Session](https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml)
- [x] [Multiple Okta User Authentication Events with Client Address](https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml)
- [x] [Multiple Okta User Authentication Events with Same Device Token Hash](https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml)
- [x] [High Number of Okta Device Token Cookies Generated for Authentication](https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml)
- [x] [Okta User Sessions Started from Different Geolocations](https://github.com/elastic/detection-rules/blob/main/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml)
- [x] [High Number of Egress Network Connections from Unusual Executable](https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml)
- [x] [Unusual Base64 Encoding/Decoding Activity](https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_base64_decoding_activity.toml)
- [x] [Potential Port Scanning Activity from Compromised Host](https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_port_scanning_activity_from_compromised_host.toml)
- [x] [Potential Subnet Scanning Activity from Compromised Host](https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml)
- [x] [Unusual File Transfer Utility Launched](https://github.com/elastic/detection-rules/blob/main/rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml)
- [x] [Potential Malware-Driven SSH Brute Force Attempt](https://github.com/elastic/detection-rules/blob/main/rules/linux/impact_potential_bruteforce_malware_infection.toml)
- [x] [Unusual Process Spawned from Web Server Parent](https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_web_server_sus_child_spawned.toml)
- [x] [Unusual Command Execution from Web Server Parent](https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_web_server_sus_command_execution.toml)
- [x] [Rare Connection to WebDAV Target](https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_rare_webdav_destination.toml)
- [x] [Potential PowerShell Obfuscation via Invalid Escape Sequences](https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_posh_obfuscation_backtick.toml)
- [x] [Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion](https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml)
- [x] [Potential PowerShell Obfuscation via Character Array Reconstruction](https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml)
- [x] [Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation](https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml)
- [x] [Potential PowerShell Obfuscation via High Numeric Character Proportion](https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml)
- [x] [Potential Dynamic IEX Reconstruction via Environment Variables](https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml)
- [x] [Dynamic IEX Reconstruction via Method String Access](https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml)
- [x] [PowerShell Obfuscation via Negative Index String Reversal](https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml)
- [x] [Potential PowerShell Obfuscation via Reverse Keywords](https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml)
- [x] [Potential PowerShell Obfuscation via String Concatenation](https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml)
- [x] [Potential PowerShell Obfuscation via String Reordering](https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_posh_obfuscation_string_format.toml)
- [x] [Potential PowerShell Obfuscation via Special Character Overuse](https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml)
- [x] [Potential Malicious PowerShell Based on Alert Correlation](https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_posh_malicious_script_agg.toml)
- [x] [Potential PowerShell Obfuscation via High Special Character Proportion](https://github.com/elastic/detection-rules/blob/main/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml)
- [x] [Unusual File Creation by Web Server](https://github.com/elastic/detection-rules/blob/main/rules_building_block/persistence_web_server_sus_file_creation.toml)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Rule Tuning] ESQL Query Field Dynamic Field Standardization #4909

Align ESQL Queries with Field Naming Guidelines

Summary

Objective

Tasks

Rules to Review

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[Rule Tuning] ESQL Query Field Dynamic Field Standardization #4909

Description

Align ESQL Queries with Field Naming Guidelines

Summary

Objective

Tasks

Rules to Review

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions