Agent Spoofing alerts due to mismatched agent id's since 9.2.1 update

willemdh · November 13, 2025, 12:55pm

Since I updated this afternoon to 9.2.1 this alert triggers continuously for all my 3 agents.

Grtz

Samir_Bousseaden · November 13, 2025, 3:57pm

@willemdh is it agent-less related ? (host.name starts with agentless-*) if so we pushed a tuning to address this [Tuning] Agent Spoofing - Mismatched Agent ID by shashank-elastic · Pull Request #5295 · elastic/detection-rules · GitHub

willemdh · November 13, 2025, 4:11pm

@Samir_Bousseaden Thanks for your answer. No it’s not agentless related. It is Elastic Security serverless related.

Mika_Ayenson · November 13, 2025, 4:36pm

@willemdh Do you mind attaching the sample alerts or reaching out on our community Slack if you feel more comfortable?

Rorb · November 20, 2025, 10:25pm

Yeah I have exactly the same problem for all my windows and mac hosts. Updated the rule but that doesn’t help since its only solves the serverless issue. Seems like a bug maybe.

Topic		Replies	Views
Agent Spoofing - Multiple Hosts Using Same Agent after update to 8.5.3 Elastic Security	2	342	January 22, 2023
Metricbeat Jolokia module - same jolokia.agent.id for multiple agents Beats metricbeat	1	295	April 1, 2021
Elastic Endpoint Security with Elastic Agent Endpoint Security	16	3261	November 10, 2020
Winlogbeat reports wrong event_id on Windows Server 2003 Beats winlogbeat	3	1300	April 12, 2016
Elastic Agent fault by Fleet manager Beats elastic-agent	1	905	June 4, 2021

Agent Spoofing alerts due to mismatched agent id's since 9.2.1 update

Related topics