Update defense_evasion_agent_spoofing_multiple_hosts.toml

Author: Samirbous

rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/07/14"
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/11/13"
 
 [rule]
 author = ["Elastic"]
@@ -17,19 +17,21 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["logs-*", "metrics-*", "traces-*"]
-language = "kuery"
+language = "esql"
 license = "Elastic License v2"
 name = "Agent Spoofing - Multiple Hosts Using Same Agent"
 risk_score = 73
 rule_id = "493834ca-f861-414c-8602-150d5505b777"
 severity = "high"
 tags = ["Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"]
 timestamp_override = "event.ingested"
-type = "threshold"
+type = "esql"
 
 query = '''
-event.agent_id_status:* and not tags:forwarded
+from logs-endpoint.*  metadata _id
+| where event.agent_id_status is not null and tags != "forwarded"
+| stats Esql.count_distinct_host_ids = count_distinct(host.id), Esql.host_id_values = values(host.id), Esql.user_id_values(user.id), Esql.user_id_values(user.name)  by agent.id
+| where Esql.count_distinct_host_ids >= 2
 '''
 note = """## Triage and analysis
 
@@ -80,11 +82,4 @@ id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
 
-[rule.threshold]
-field = ["agent.id"]
-value = 2
-[[rule.threshold.cardinality]]
-field = "host.id"
-value = 2
-