From a995f27c136a0b39b197fc20a7c452b83b8790df Mon Sep 17 00:00:00 2001
From: James Valente <65730960+jvalente-salemstate@users.noreply.github.com>
Date: Tue, 25 Jun 2024 07:22:07 -0400
Subject: [PATCH] Tune rule to exclude forwarded events. (#3790)

Events containing "forwarded" as a tag may include host information
that is not related to the host running elastic agent. This triggers
false positive alerts. Examples include Entity Analytics integrations,
Palo Alto GlobalProtect activity, and M365 Defender device events.

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 0726ce41bff480af1682537cd08b56e62cf72644)
---
 .../defense_evasion_agent_spoofing_multiple_hosts.toml        | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml
index 6019f522c..0a5ee5c15 100644
--- a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml
+++ b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/07/14"
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/06/14"
 
 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ timestamp_override = "event.ingested"
 type = "threshold"
 
 query = '''
-event.agent_id_status:*
+event.agent_id_status:* and not tags:forwarded
 '''