Adversaries may use processes with empty user agents to mask their web browsing activity and evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control or reconnaissance activities.
KQL Query
let timeframe = 15m;
Cisco_Umbrella
| where EventType == "proxylogs"
| where TimeGenerated > ago(timeframe)
| where HttpUserAgentOriginal == ''
| extend Message = "Empty User Agent"
| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated
id: 2b328487-162d-4034-b472-59f1d53684a1
name: Cisco Umbrella - Empty User Agent Detected
description: |
'Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.'
severity: Medium
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_proxy_CL
queryFrequency: 15m
queryPeriod: 15m
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandAndControl
query: |
let timeframe = 15m;
Cisco_Umbrella
| where EventType == "proxylogs"
| where TimeGenerated > ago(timeframe)
| where HttpUserAgentOriginal == ''
| extend Message = "Empty User Agent"
| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: UrlOriginal
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
version: 1.1.2
kind: Scheduled
Scenario: Scheduled System Maintenance Task
Description: A scheduled task runs a system cleanup or update that uses a non-browser process, which may not set a user agent.
Filter/Exclusion: Exclude processes associated with system maintenance tools like Task Scheduler, Windows Update, or PowerShell scripts running under SYSTEM or Local System account.
Scenario: Network Monitoring Tool (e.g., Wireshark, tcpdump)
Description: Network analysis tools may capture HTTP traffic without setting a user agent, leading to false positives.
Filter/Exclusion: Exclude traffic originating from tools like Wireshark, tcpdump, or tshark by checking the source IP or process name.
Scenario: Log Collection or SIEM Agent (e.g., Splunk, ELK Stack)
Description: Log aggregation tools may send HTTP requests to central servers without a user agent.
Filter/Exclusion: Exclude traffic from known log agents such as Splunkforwarder, Filebeat, or Logstash by checking the source IP or process name.
Scenario: API Testing Tool (e.g., Postman, Insomnia)
Description: Developers may use API testing tools to send HTTP requests without setting a user agent.
Filter/Exclusion: Exclude traffic from tools like Postman or Insomnia by checking the user agent string or source IP associated with development environments.
Scenario: Cloud Infrastructure Management (e.g., AWS CLI, Terraform)
Description: Infrastructure-as-code tools may make HTTP requests to cloud APIs without a user agent.
Filter/Exclusion: Exclude traffic from tools like AWS CLI, Terraform, or Ansible by checking the source IP or process name, or by filtering based on known API endpoints.