diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
index 686ff34eb3c..bc9616eb914 100644
--- a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
+++ b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/07/14"
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/11/10"
 
 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.agent_id_status:(agent_id_mismatch or mismatch)
+event.agent_id_status:(agent_id_mismatch or mismatch) and not host.name:agentless-*
 '''
 note = """## Triage and analysis