From 0bd19bb55feee2d9d5750111324a6593fa1c9f20 Mon Sep 17 00:00:00 2001
From: Shashank K S <Shashank.Suryanarayana@elastic.co>
Date: Mon, 10 Nov 2025 21:11:02 +0530
Subject: [PATCH] Ignore agentless executions in agent_id_status events.

---
 .../defense_evasion_agent_spoofing_mismatched_id.toml         | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
index 686ff34eb3c..bc9616eb914 100644
--- a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
+++ b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/07/14"
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/11/10"
 
 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.agent_id_status:(agent_id_mismatch or mismatch)
+event.agent_id_status:(agent_id_mismatch or mismatch) and not host.name:agentless-*
 '''
 note = """## Triage and analysis