From a6548d977324e7c7bbc32217dda2f4c62c9a40fc Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Fri, 12 Dec 2025 17:47:11 +0000
Subject: [PATCH] Update defense_evasion_agent_spoofing_multiple_hosts.toml
 (#5446)

---
 .../defense_evasion_agent_spoofing_multiple_hosts.toml        | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml
index 3cceaea18..84468fac2 100644
--- a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml
+++ b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml
@@ -2,7 +2,7 @@
 creation_date = "2021/07/14"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/11/13"
+updated_date = "2025/12/10"
 
 [rule]
 author = ["Elastic"]
@@ -30,7 +30,7 @@ type = "esql"
 
 query = '''
 from logs-endpoint.*  metadata _id
-| where event.agent_id_status is not null 
+| where event.agent_id_status is not null and agent.id is not null
 | stats Esql.count_distinct_host_ids = count_distinct(host.id), Esql.host_id_values = values(host.id), Esql.user_id_values_user_id = values(user.id) by agent.id
 | where Esql.count_distinct_host_ids >= 2
 | keep Esql.count_distinct_host_ids, Esql.host_id_values, Esql.user_id_values_user_id, agent.id