Agent Spoofing - Mismatched Agent ID

Last updated 21 days ago on 2025-01-15
Created 4 years ago on 2021-07-14

About

Detects events that have a mismatch on the expected event agent ID. The status "agent_id_mismatch/mismatch" occurs when the expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate attempts to spoof events in order to masquerade actual activity to evade detection.
Tags
Use Case: Threat DetectionTactic: Defense EvasionLanguage: kuery
Severity
high
Risk Score
73
MITRE ATT&CK™

Defense Evasion (TA0005)(opens in a new tab or window)

False Positive Examples
This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the necessary field, resulting in false positives.
License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-*metrics-*traces-*
Related Integrations

(opens in a new tab or window)

Query
event.agent_id_status:(agent_id_mismatch or mismatch)

Install detection rules in Elastic Security

Detect Agent Spoofing - Mismatched Agent ID in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).