Agent Spoofing - Mismatched Agent ID

Detects events that have a mismatch on the expected event agent ID. The status "agent_id_mismatch/mismatch" occurs when the expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate attempts to spoof events in order to masquerade actual activity to evade detection.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/07/14"
 3maturity = "production"
 4updated_date = "2024/05/31"
 5
 6[rule]
 7author = ["Elastic"]
 8description = """
 9Detects events that have a mismatch on the expected event agent ID. The status "agent_id_mismatch/mismatch" occurs when
10the expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate
11attempts to spoof events in order to masquerade actual activity to evade detection.
12"""
13false_positives = [
14    """
15    This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the
16    necessary field, resulting in false positives.
17    """,
18]
19from = "now-9m"
20index = ["logs-*", "metrics-*", "traces-*"]
21language = "kuery"
22license = "Elastic License v2"
23name = "Agent Spoofing - Mismatched Agent ID"
24risk_score = 73
25rule_id = "3115bd2c-0baa-4df0-80ea-45e474b5ef93"
26severity = "high"
27tags = ["Use Case: Threat Detection", "Tactic: Defense Evasion"]
28timestamp_override = "event.ingested"
29type = "query"
30
31query = '''
32event.agent_id_status:(agent_id_mismatch or mismatch)
33'''
34
35[[rule.threat]]
36framework = "MITRE ATT&CK"
37
38[[rule.threat.technique]]
39id = "T1036"
40name = "Masquerading"
41reference = "https://attack.mitre.org/techniques/T1036/"
42
43[rule.threat.tactic]
44id = "TA0005"
45name = "Defense Evasion"
46reference = "https://attack.mitre.org/tactics/TA0005/"

Related rules

to-top