From b719927d667b7b9ec95a3ff429b164cb626949cf Mon Sep 17 00:00:00 2001
From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Date: Mon, 3 Jun 2024 19:28:24 +0200
Subject: [PATCH] [Rule Tuning] Agent Spoofing (#3729)

(cherry picked from commit 90bb8b53d8556117ed040bd9b76c49d8a090878c)
---
 ...defense_evasion_agent_spoofing_mismatched_id.toml | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
index 0db7fbdae..0387b769d 100644
--- a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
+++ b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
@@ -1,13 +1,13 @@
 [metadata]
 creation_date = "2021/07/14"
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/05/31"
 
 [rule]
 author = ["Elastic"]
 description = """
-Detects events that have a mismatch on the expected event agent ID. The status "agent_id_mismatch" occurs when the
-expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate
+Detects events that have a mismatch on the expected event agent ID. The status "agent_id_mismatch/mismatch" occurs when
+the expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate
 attempts to spoof events in order to masquerade actual activity to evade detection.
 """
 false_positives = [
@@ -29,20 +29,18 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.agent_id_status:agent_id_mismatch
+event.agent_id_status:(agent_id_mismatch or mismatch)
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1036"
 name = "Masquerading"
 reference = "https://attack.mitre.org/techniques/T1036/"
 
-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-