[Rule Tuning] Agent Spoofing - Multiple Hosts Using Same Agent

[tehbooom]

Link to Rule

No response

Rule Tuning Type

False Positives - Reducing benign events mistakenly identified as threats.

Description

Related to #3613

Receiving a very high rate of false positives for this rule. The host.id is null for these alerts.

Rule is up to date with changes from https://github.com/elastic/detection-rules/pull/3790

We ran the following ES|QL query and see no datasets causing the alerts

from logs-* 
| where host.id is not null and elastic_agent.id is not null
| stats hosts_per_agent = count_distinct
(host.id) by elastic_agent.id, data_stream.dataset
| where hosts_per_agent > 1 
| sort hosts_per_agent desc | keep hosts_per_agent, data_stream.dataset

Example Data

No response