diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz
index 3166aef5188..31330d07dd7 100644
Binary files a/detection_rules/etc/integration-manifests.json.gz and b/detection_rules/etc/integration-manifests.json.gz differ
diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz
index be5dfd6852e..6ac0043ba62 100644
Binary files a/detection_rules/etc/integration-schemas.json.gz and b/detection_rules/etc/integration-schemas.json.gz differ
diff --git a/rules/network/command_and_control_cobalt_strike_beacon.toml b/rules/network/command_and_control_cobalt_strike_beacon.toml
index de552073757..a08fc43d7c0 100644
--- a/rules/network/command_and_control_cobalt_strike_beacon.toml
+++ b/rules/network/command_and_control_cobalt_strike_beacon.toml
@@ -2,8 +2,8 @@
 creation_date = "2020/07/06"
 integration = ["network_traffic"]
 maturity = "production"
-min_stack_comments = "New fields added: required_fields, related_integrations, setup"
-min_stack_version = "8.3.0"
+min_stack_comments = "Network integration fields updated for ECS compatibility (type -> network.protocol)"
+min_stack_version = "8.10.0"
 updated_date = "2023/10/16"
 
 [rule]
@@ -21,7 +21,7 @@ false_positives = [
 ]
 from = "now-9m"
 index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
-language = "lucene"
+language = "eql"
 license = "Elastic License v2"
 name = "Cobalt Strike Command and Control Beacon"
 note = """## Threat intel
@@ -37,12 +37,14 @@ rule_id = "cf53f532-9cc9-445a-9ae7-fced307ec53c"
 severity = "high"
 tags = ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"]
 timestamp_override = "event.ingested"
-type = "query"
+type = "eql"
 
 query = '''
-((event.category: (network OR network_traffic) AND type: (tls OR http))
-    OR event.dataset: (network_traffic.tls OR network_traffic.http)
-) AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\..*/
+any where
+  ((event.category in ("network", "network_traffic") and network.protocol in ("tls", "http")) or
+    event.dataset in ("network_traffic.tls", "network_traffic.http")
+  ) and
+  destination.domain regex~ """[a-z]{3}.stage.[0-9]{8}\..*"""
 '''
 
 
diff --git a/rules/network/command_and_control_fin7_c2_behavior.toml b/rules/network/command_and_control_fin7_c2_behavior.toml
index 0d35fd4ba9e..c82b1f3a83d 100644
--- a/rules/network/command_and_control_fin7_c2_behavior.toml
+++ b/rules/network/command_and_control_fin7_c2_behavior.toml
@@ -2,8 +2,8 @@
 creation_date = "2020/07/06"
 integration = ["network_traffic"]
 maturity = "production"
-min_stack_comments = "New fields added: required_fields, related_integrations, setup"
-min_stack_version = "8.3.0"
+min_stack_comments = "Network integration fields updated for ECS compatibility (type -> network.protocol)"
+min_stack_version = "8.10.0"
 updated_date = "2023/10/16"
 
 [rule]
@@ -20,7 +20,7 @@ false_positives = [
 ]
 from = "now-9m"
 index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
-language = "lucene"
+language = "eql"
 license = "Elastic License v2"
 name = "Possible FIN7 DGA Command and Control Behavior"
 note = """## Triage and analysis
@@ -34,12 +34,15 @@ rule_id = "4a4e23cf-78a2-449c-bac3-701924c269d3"
 severity = "high"
 tags = ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"]
 timestamp_override = "event.ingested"
-type = "query"
+type = "eql"
 
 query = '''
-(event.dataset: (network_traffic.tls OR network_traffic.http) or
-    (event.category: (network OR network_traffic) AND type: (tls OR http) AND network.transport: tcp)) AND
-destination.domain:/[a-zA-Z]{4,5}\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us
+any where
+  ((event.category in ("network", "network_traffic") and network.protocol in ("tls", "http") and network.transport == "tcp") or
+    event.dataset in ("network_traffic.tls", "network_traffic.http")
+  ) and
+  destination.domain regex~ """[a-zA-Z]{4,5}\.(pw|us|club|info|site|top)""" and
+  not destination.domain : "zoom.us"
 '''
 
 
diff --git a/rules/network/initial_access_unsecure_elasticsearch_node.toml b/rules/network/initial_access_unsecure_elasticsearch_node.toml
index fa1a06c6aba..b44ec45c6b0 100644
--- a/rules/network/initial_access_unsecure_elasticsearch_node.toml
+++ b/rules/network/initial_access_unsecure_elasticsearch_node.toml
@@ -2,8 +2,8 @@
 creation_date = "2020/08/11"
 integration = ["network_traffic"]
 maturity = "production"
-min_stack_comments = "New fields added: required_fields, related_integrations, setup"
-min_stack_version = "8.3.0"
+min_stack_comments = "Network integration fields updated for ECS compatibility (status -> http.response.status_phrase)"
+min_stack_version = "8.10.0"
 updated_date = "2023/10/16"
 
 [rule]
@@ -20,7 +20,7 @@ false_positives = [
 ]
 from = "now-9m"
 index = ["packetbeat-*", "logs-network_traffic.*"]
-language = "lucene"
+language = "kuery"
 license = "Elastic License v2"
 name = "Inbound Connection to an Unsecure Elasticsearch Node"
 note = """## Setup
@@ -38,9 +38,10 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-(event.dataset: network_traffic.http OR (event.category: network_traffic AND network.protocol: http)) AND
-    status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:"image/x-icon" AND NOT
-    _exists_:http.request.headers.authorization
+(event.dataset:network_traffic.http or (event.category:network_traffic and network.protocol:http)) and
+    http.response.status_phrase:ok and destination.port:9200 and network.direction:inbound and
+    not http.response.mime_type:"image/x-icon" and
+    not network_traffic.http.request.headers.authorization:*
 '''
 
 
diff --git a/rules/network/lateral_movement_dns_server_overflow.toml b/rules/network/lateral_movement_dns_server_overflow.toml
index ad311c66b4c..a9e698c8d72 100644
--- a/rules/network/lateral_movement_dns_server_overflow.toml
+++ b/rules/network/lateral_movement_dns_server_overflow.toml
@@ -2,9 +2,9 @@
 creation_date = "2020/07/16"
 integration = ["network_traffic"]
 maturity = "production"
-min_stack_comments = "New fields added: required_fields, related_integrations, setup"
-min_stack_version = "8.3.0"
-updated_date = "2023/08/01"
+min_stack_comments = "Network integration fields updated for ECS compatibility (type -> network.protocol)"
+min_stack_version = "8.10.0"
+updated_date = "2023/10/16"
 
 [rule]
 author = ["Elastic"]
@@ -74,8 +74,8 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-(event.dataset: network_traffic.dns or (event.category: (network or network_traffic) and destination.port: 53)) and
-  (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000
+(event.dataset:network_traffic.dns or (event.category:(network or network_traffic) and destination.port:53)) and
+  (event.dataset:zeek.dns or network.protocol:dns or event.type:connection) and network.bytes > 60000
 '''