"Agent Spoofing - Multiple Hosts Using Same Agent" message since 2.4.190 upgrade

[rfuller318]

Version

2.4.190

Installation Method

Security Onion ISO image

Description

upgrading

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

16 physical, 32 with hyperthread

RAM

128

Storage for /

32 TB

Storage for /nsm

28 TB

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Since upgrading to 2.4.190 two days ago, I am getting several alerts in Elastic Security on the Kibana side stating "Agent Spoofing - Multiple Hosts Using Same Agent" indicating multiple Elastic Agents having the same Agent ID. I've never seen that message before during this entire deployment.

Any ideas on where I should even start troubleshooting?

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[rfuller318]

Anyone have any ideas on how to troubleshoot this particular issue?

[reyesj2]

It looks like that rule query is

event.agent_id_status:* and not tags:forwarded

that event.agent_id_status field appears to have an issue open with it when ingesting logs using logstash (Security Onion logs go from agent -> logstash -> redis) elastic/kibana#183959 note the comment elastic/kibana#183959 (comment)

[rfuller318]

Ah, I see. Thanks for the note. I am going to make an exception for that detection until they can sort things out.