From 90bb8b53d8556117ed040bd9b76c49d8a090878c Mon Sep 17 00:00:00 2001
From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Date: Mon, 3 Jun 2024 19:28:24 +0200
Subject: [PATCH] [Rule Tuning] Agent Spoofing (#3729)

---
 ...defense_evasion_agent_spoofing_mismatched_id.toml | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
index 0db7fbdae..0387b769d 100644
--- a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
+++ b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
@@ -1,13 +1,13 @@
 [metadata]
 creation_date = "2021/07/14"
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/05/31"
 
 [rule]
 author = ["Elastic"]
 description = """
-Detects events that have a mismatch on the expected event agent ID. The status "agent_id_mismatch" occurs when the
-expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate
+Detects events that have a mismatch on the expected event agent ID. The status "agent_id_mismatch/mismatch" occurs when
+the expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate
 attempts to spoof events in order to masquerade actual activity to evade detection.
 """
 false_positives = [
@@ -29,20 +29,18 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.agent_id_status:agent_id_mismatch
+event.agent_id_status:(agent_id_mismatch or mismatch)
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1036"
 name = "Masquerading"
 reference = "https://attack.mitre.org/techniques/T1036/"
 
-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-