[Rule Tuning] Very high false positive rate in 'Agent Spoofing - Multiple Hosts Using Same Agent'

[jvalente-salemstate]

Describe the bug
This is a threshold rule that triggers when the cardinality of host.id for any given elastic_agent_id is more than one. For rules containing the forwarded tag, host details are populated but they may contain host details from the event (m365_defender.event device events, panw.panos logs containing host info). It may also be triggering if the host id is null.
These can't be added as exceptions since the fields aren't available in a threshold

To Reproduce

Use any integration that can exports host.id and includes forwarded in the tag.

Run the ES|QL query to view the datasets causing this

from logs-* 
| where host.id is not null and elastic_agent.id is not null
| stats hosts_per_agent = count_distinct
(host.id) by elastic_agent.id, data_stream.dataset
| where hosts_per_agent > 1 
| sort hosts_per_agent desc | keep hosts_per_agent, data_stream.dataset

Expected behavior

The rule should not trigger on forwarded events or when host.id does not exist.

[jvalente-salemstate]

Accidentally submitted as a bug instead of tuning. Fixed the title but I can't seem to adjust labels.