From 4cf883b58446586312561a36b36862c143ce87e4 Mon Sep 17 00:00:00 2001
From: James Valente <65730960+jvalente-salemstate@users.noreply.github.com>
Date: Tue, 25 Jun 2024 07:22:07 -0400
Subject: [PATCH] Tune rule to exclude forwarded events. (#3790)

Events containing "forwarded" as a tag may include host information
that is not related to the host running elastic agent. This triggers
false positive alerts. Examples include Entity Analytics integrations,
Palo Alto GlobalProtect activity, and M365 Defender device events.

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 0726ce41bff480af1682537cd08b56e62cf72644)
---
 .../defense_evasion_agent_spoofing_multiple_hosts.toml        | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml
index 6019f522c45..0a5ee5c15a7 100644
--- a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml
+++ b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/07/14"
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/06/14"
 
 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ timestamp_override = "event.ingested"
 type = "threshold"
 
 query = '''
-event.agent_id_status:*
+event.agent_id_status:* and not tags:forwarded
 '''