Agent Spoofing - Mismatched Agent ID

 1[metadata]
 2creation_date = "2021/07/14"
 3maturity = "production"
 4updated_date = "2023/06/22"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7
 8[rule]
 9author = ["Elastic"]
10description = """Detects events that have a mismatch on the expected event agent ID. The status "agent_id_mismatch"
11occurs when the expected agent ID associated with the API key does not match the actual agent ID in an event. This could
12indicate attempts to spoof events in order to masquerade actual activity to evade detection.
13"""
14false_positives = [
15    """
16    This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the
17    necessary field, resulting in false positives.
18    """,
19]
20from = "now-9m"
21index = ["logs-*", "metrics-*", "traces-*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "Agent Spoofing - Mismatched Agent ID"
25risk_score = 73
26rule_id = "3115bd2c-0baa-4df0-80ea-45e474b5ef93"
27severity = "high"
28tags = ["Use Case: Threat Detection", "Tactic: Defense Evasion"]
29timestamp_override = "event.ingested"
30type = "query"
31
32query = '''
33event.agent_id_status:agent_id_mismatch
34'''
35
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39[[rule.threat.technique]]
40id = "T1036"
41name = "Masquerading"
42reference = "https://attack.mitre.org/techniques/T1036/"
43
44
45[rule.threat.tactic]
46id = "TA0005"
47name = "Defense Evasion"
48reference = "https://attack.mitre.org/tactics/TA0005/"