From dd567e59dee52002fce79acb8a1d52533d97e982 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Mon, 12 Jan 2026 13:44:13 -0300 Subject: [PATCH] [Rule Deprecation] Agent Spoofing - Mismatched Agent ID (#5552) * [Rule Deprecation] Agent Spoofing - Mismatched Agent ID * Update defense_evasion_agent_spoofing_mismatched_id.toml --- .../defense_evasion_agent_spoofing_mismatched_id.toml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml index 975033fd8..cee870c91 100644 --- a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml +++ b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/07/14" maturity = "production" -updated_date = "2025/11/13" +updated_date = "2026/01/12" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ from = "now-9m" index = ["logs-*", "metrics-*", "traces-*"] language = "kuery" license = "Elastic License v2" -name = "Agent Spoofing - Mismatched Agent ID" +name = "Deprecated - Agent Spoofing - Mismatched Agent ID" risk_score = 73 rule_id = "3115bd2c-0baa-4df0-80ea-45e474b5ef93" severity = "high" @@ -36,7 +36,7 @@ note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Agent Spoofing - Mismatched Agent ID +### Investigating Deprecated - Agent Spoofing - Mismatched Agent ID In security environments, agent IDs uniquely identify software agents that report events. Adversaries may spoof these IDs to disguise unauthorized activities, evading detection systems. The detection rule identifies discrepancies between expected and actual agent IDs, flagging potential spoofing attempts. By monitoring for mismatches, it helps uncover efforts to masquerade malicious actions as legitimate.