Agent Spoofing - Mismatched Agent ID
Detects events that have a mismatch on the expected event agent ID. The status "agent_id_mismatch/mismatch" occurs when the expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate attempts to spoof events in order to masquerade actual activity to evade detection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/07/14"
3maturity = "production"
4updated_date = "2024/05/31"
5
6[rule]
7author = ["Elastic"]
8description = """
9Detects events that have a mismatch on the expected event agent ID. The status "agent_id_mismatch/mismatch" occurs when
10the expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate
11attempts to spoof events in order to masquerade actual activity to evade detection.
12"""
13false_positives = [
14 """
15 This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the
16 necessary field, resulting in false positives.
17 """,
18]
19from = "now-9m"
20index = ["logs-*", "metrics-*", "traces-*"]
21language = "kuery"
22license = "Elastic License v2"
23name = "Agent Spoofing - Mismatched Agent ID"
24risk_score = 73
25rule_id = "3115bd2c-0baa-4df0-80ea-45e474b5ef93"
26severity = "high"
27tags = ["Use Case: Threat Detection", "Tactic: Defense Evasion"]
28timestamp_override = "event.ingested"
29type = "query"
30
31query = '''
32event.agent_id_status:(agent_id_mismatch or mismatch)
33'''
34
35[[rule.threat]]
36framework = "MITRE ATT&CK"
37
38[[rule.threat.technique]]
39id = "T1036"
40name = "Masquerading"
41reference = "https://attack.mitre.org/techniques/T1036/"
42
43[rule.threat.tactic]
44id = "TA0005"
45name = "Defense Evasion"
46reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Attempt to Clear Kernel Ring Buffer
- Attempt to Disable Gatekeeper
- Attempt to Install Root Certificate
- Attempt to Unload Elastic Endpoint Security Kernel Extension
- Base16 or Base32 Encoding/Decoding Activity