This rule detects instances where multiple hosts are utilizing the same agent ID, signaling potential agent spoofing. Such activities may indicate a hijack scenario where adversaries exploit agent IDs to inject false data into the network, hiding malicious actions to evade detection. This specific detection mechanism is applicable to environments utilizing Elastic Agent version 7.14 and above. The detection logic employs a threshold approach to monitor agent ID usage across hosts, identifying at least two hosts that report the same agent ID. Potential false positives include scenarios such as load balancing, virtual environment cloning, or testing configurations where agent IDs may be duplicated legitimately. The investigation process entails detailed scrutiny of agents reporting identical IDs, reviewing network logs, and analyzing recent changes to the agent configurations. Response protocols include isolating affected hosts, revoking compromised agent IDs, and conducting thorough investigations for unauthorized changes. Additional measures should be implemented to enhance logging and alerting capabilities for similar threats in the future.