Adversaries may use empty user agent strings to mask their identity and evade detection during network reconnaissance. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential reconnaissance or initial access attempts that bypass standard signature-based detection.
Detection Rule
title: HTTP Request With Empty User Agent
id: 21e44d78-95e7-421b-a464-ffd8395659c4
status: test
description: |
Detects a potentially suspicious empty user agent strings in proxy log.
Could potentially indicate an uncommon request method.
references:
- https://twitter.com/Carlos_Perez/status/883455096645931008
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2021-11-27
tags:
- attack.defense-evasion
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
# Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString
c-useragent: ''
condition: selection
falsepositives:
- Unknown
level: medium
imWebSession
| where HttpUserAgent =~ ""Scenario: User Agent Empty Due to System or Service Automation
Description: A legitimate system or service (e.g., Jenkins, Ansible, or a CI/CD pipeline) may make HTTP requests without a user agent string, often for internal tooling or API communication.
Filter/Exclusion: Exclude traffic originating from known internal tools or services using IP ranges or hostnames associated with those systems (e.g., 10.0.0.0/8, jenkins.example.com).
Scenario: Scheduled Job or Cron Task Making HTTP Requests
Description: A scheduled job (e.g., using cron, systemd, or Task Scheduler) may make HTTP requests to an internal API or external service without a user agent, as it may not be configured to include one.
Filter/Exclusion: Exclude traffic from known job schedulers or processes using process names or command-line arguments (e.g., cron, systemd, task scheduler).
Scenario: Web Application Firewall (WAF) or Proxy Bypassing User Agent
Description: A WAF or proxy (e.g., ModSecurity, NGINX, or Cloudflare) may strip or bypass the user agent header during request processing, leading to an empty user agent in the logs.
Filter/Exclusion: Exclude traffic that passes through known WAFs or proxies by checking for proxy headers (e.g., X-Forwarded-For, X-Real-IP) or using proxy-specific log fields.
Scenario: Internal Monitoring or Telemetry Tools
Description: Internal monitoring tools (e.g., Prometheus, Grafana, or Datadog) may send HTTP requests to a metrics endpoint without a user agent, as they are not designed to mimic browser behavior.
Filter/Exclusion: Exclude traffic from known monitoring tools by