From 7b6f4864f028f141e0d35f01abc67c01e9ba47dc Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Thu, 13 Nov 2025 17:26:29 +0000
Subject: [PATCH] Update defense_evasion_agent_spoofing_mismatched_id.toml
 (#5312)

---
 .../defense_evasion_agent_spoofing_mismatched_id.toml         | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
index bc9616eb9..975033fd8 100644
--- a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
+++ b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/07/14"
 maturity = "production"
-updated_date = "2025/11/10"
+updated_date = "2025/11/13"
 
 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.agent_id_status:(agent_id_mismatch or mismatch) and not host.name:agentless-*
+event.agent_id_status:agent_id_mismatch and not host.name:agentless-*
 '''
 note = """## Triage and analysis