Description
This detection identifies web requests with unusual or suspicious user agent strings that may indicate malicious activity. Attackers often use custom or modified user agents when conducting reconnaissance, exploiting vulnerabilities, or communicating with command and control servers. This detection analyzes web proxy or web server logs to identify user agents that deviate from normal patterns or match known malicious signatures.
Detection Details
- Tool
- Elastic
- Category
- SIEM
- Severity
- Low
- Status
- Active
Metadata
- ID
- ELASTIC-001
- Author
- Saif Al Mamari
- Last Updated
- 2023-10-30
MITRE ATT&CK Techniques
False Positives
- Legitimate API clients and automation tools
- Developer testing and debugging
- Custom applications with non-standard user agents
Tool-Specific Rule Format
GET _search
{
"query": {
"bool": {
"must": [
{ "match": { "event.category": "web" } },
{
"bool": {
"should": [
{ "wildcard": { "user_agent.original": "*curl*" } },
{ "wildcard": { "user_agent.original": "*wget*" } },
{ "wildcard": { "user_agent.original": "*powershell*" } },
{ "wildcard": { "user_agent.original": "*python*" } }
],
"minimum_should_match": 1
}
}
]
}
}
}Query
GET _search
{
"query": {
"bool": {
"must": [
{ "match": { "event.category": "web" } },
{
"bool": {
"should": [
{ "wildcard": { "user_agent.original": "*curl*" } },
{ "wildcard": { "user_agent.original": "*wget*" } },
{ "wildcard": { "user_agent.original": "*powershell*" } },
{ "wildcard": { "user_agent.original": "*python*" } }
],
"minimum_should_match": 1
}
}
]
}
}
}Implementation Notes
This detection uses Elasticsearch Query DSL to identify suspicious patterns in your log data. The query can be implemented as a rule in Elastic Security or as a custom alert in Kibana. You may need to adjust field names based on your ECS mapping and customize the query based on your environment's specific characteristics.
Alert Details
View Detection RuleWhy This Alert Fired
This alert was triggered by a Elastic detection rule that identified detects web requests with unusual user agent strings that may indicate malicious activity.
Investigation Steps
- Review the full event details in the SIEM platform
- Search for the full event using the query below:
GET _search { "query": { "bool": { "must": [ { "match": { "event.category": "web" } }, { "bool": { "should": [ { "wildcard": { "user_agent.original": "*curl*" } }, { "wildcard": { "user_agent.original": "*wget*" } }, { "wildcard": { "user_agent.original": "*powershell*" } }, { "wildcard": { "user_agent.original": "*python*" } } ], "minimum_should_match": 1 } } ] } } }
- Examine the context of the event, including user, host, and network information
- Look for unusual patterns or deviations from normal behavior
- Check if the activity is consistent with the user's role and typical activities
- Check for related events before and after the detection time
- Verify if the activity is expected for the user/system in question
- Correlate with other security events from the same source or target
True Positive Indicators
- Activity matches known malicious patterns
- Unusual execution context or parameters
- Activity from unexpected users or systems
- Correlation with other suspicious events
False Positive Indicators
- Legitimate API clients and automation tools
- Developer testing and debugging
- Custom applications with non-standard user agents
Recommended Response Actions
This is a low-severity detection that should be monitored.
- Monitor for additional related activity
- Document the investigation findings
- Update detection rules if false positive
- Consider additional logging if needed
- No immediate action required if benign
Documentation & Evidence Collection
- Document all investigation steps and findings in the case management system
- Capture screenshots of relevant events and timelines
- Export raw logs and preserve them as evidence
- Document any systems accessed and actions taken during investigation
- Record all remediation actions if a true positive is confirmed