Adversaries may use rare user agents to mask malicious web browsing activity by non-browser processes. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential web-based attacks that evade standard detection methods.
KQL Query
let lookBack = 14d;
let timeframe = 1d;
let user_agents_list = Cisco_Umbrella
| where EventType == "proxylogs"
| where TimeGenerated > ago(lookBack) and TimeGenerated < ago(timeframe)
| summarize count() by HttpUserAgentOriginal
| summarize make_list(HttpUserAgentOriginal);
Cisco_Umbrella
| where EventType == "proxylogs"
| where TimeGenerated > ago(timeframe)
| where HttpUserAgentOriginal !in (user_agents_list)
| extend Message = "Rare User Agent"
| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal
id: 8c8de3fa-6425-4623-9cd9-45de1dd0569a
name: Cisco Umbrella - Rare User Agent Detected
description: |
'Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.'
severity: Medium
requiredDataConnectors:
- connectorId: CiscoUmbrellaDataConnector
dataTypes:
- Cisco_Umbrella_proxy_CL
queryFrequency: 1d
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- CommandAndControl
query: |
let lookBack = 14d;
let timeframe = 1d;
let user_agents_list = Cisco_Umbrella
| where EventType == "proxylogs"
| where TimeGenerated > ago(lookBack) and TimeGenerated < ago(timeframe)
| summarize count() by HttpUserAgentOriginal
| summarize make_list(HttpUserAgentOriginal);
Cisco_Umbrella
| where EventType == "proxylogs"
| where TimeGenerated > ago(timeframe)
| where HttpUserAgentOriginal !in (user_agents_list)
| extend Message = "Rare User Agent"
| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: UrlOriginal
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
version: 1.1.2
kind: Scheduled
Scenario: System Maintenance Tool Execution
Description: A legitimate system maintenance tool, such as wbemtest.exe (Windows Management Instrumentation Tester), is executed by an administrator to troubleshoot system issues. This tool may use a non-browser user agent string.
Filter/Exclusion: Exclude processes associated with wbemtest.exe or any known system diagnostic tools by checking the process_name field.
Scenario: Scheduled Job Using Non-Browser User Agent
Description: A scheduled job, such as a PowerShell script or a batch file, runs under a non-browser user agent to perform automated tasks (e.g., API calls, data synchronization).
Filter/Exclusion: Exclude processes that match known job scheduler tools (e.g., schtasks.exe, powershell.exe with specific command-line arguments) using the process_name or command_line fields.
Scenario: Admin Task Using Custom User Agent
Description: An administrator uses a custom user agent string while testing or configuring network devices (e.g., using curl or wget in a script) to simulate web requests for diagnostic purposes.
Filter/Exclusion: Exclude requests where the user_agent field matches known custom or testing agents, or filter by process_name such as curl.exe or wget.exe.
Scenario: Legacy Application or Service Using Non-Browser User Agent
Description: A legacy enterprise application (e.g., sqlcmd.exe, rsync, or ftp.exe) uses a non-browser user agent string to communicate with web services or APIs.
Filter/Exclusion: Exclude processes associated with known legacy tools by checking the process_name field or using a custom filter for user_agent strings used by these tools.
Scenario: Security Tool or SIEM Agent Testing
*