Unusual Web User Agent

Last updated 7 months ago on 2025-01-15

Created 5 years ago on 2020-03-25

About

A machine learning job detected a rare and unusual user agent indicating web browsing activity by an unusual process other than a web browser. This can be due to persistence, command-and-control, or exfiltration activity. Uncommon user agents coming from remote sources to local destinations are often the result of scanners, bots, and web scrapers, which are part of common Internet background traffic. Much of this is noise, but more targeted attacks on websites using tools like Burp or SQLmap can sometimes be discovered by spotting uncommon user agents. Uncommon user agents in traffic from local sources to remote destinations can be any number of things, including harmless programs like weather monitoring or stock-trading programs. However, uncommon user agents from local sources can also be due to malware or scanning activity.

Tags

Use Case: Threat DetectionRule Type: MLRule Type: Machine LearningTactic: Command and Control

Severity

low

Risk Score

MITRE ATT&CK™

Command and Control (TA0011)(opens in a new tab or window)

↳ Application Layer Protocol (T1071)(opens in a new tab or window)

False Positive Examples

Web activity that is uncommon, like security scans, may trigger this alert and may need to be excluded. A new or rarely used program that calls web services may trigger this alert.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Machine Learning

Integration Pack

Prebuilt Security Detection Rules

Related Integrations

endpoint(opens in a new tab or window)

network_traffic(opens in a new tab or window)

Query

Install detection rules in Elastic Security

Detect Unusual Web User Agent in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).