A malicious actor may be using a single IP address to probe multiple systems by rotating user agents to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential reconnaissance or initial access attempts.
KQL Query
W3CIISLog
| where scStatus !startswith "20" and scStatus !startswith "30" and cIP !startswith "192.168." and cIP != sIP and cIP != "::1"
//Exclude local addresses, using ipv4_is_private operator
|where ipv4_is_private(cIP) == false and cIP !startswith "fe80" and cIP !startswith "::" and cIP !startswith "127."
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), makeset(csUserAgent), ConnectionCount = count()
by Computer, sSiteName, sIP, sPort, cIP, csMethod
| extend csUserAgentPerIPCount = arraylength(set_csUserAgent)
| where csUserAgentPerIPCount between ( 2 .. 15 ) and ConnectionCount <=50
| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = Computer
id: 4edbb420-2df7-4089-9906-c335f065803e
name: Same IP address with multiple csUserAgent
description: |
'This alerts when a client IP connects with 1-15 different useragents in less than 1 hour. Limited to 50 or less connections to avoid high traffic. May indicate malicious activity as a probing method.'
description_detailed: |
'This alerts when the same client IP (cIP) is connecting with more than 1 but less than 15 different useragent string (csUserAgent) in less than 1 hour.
We limit to 50 or less connections to avoid high traffic sites. This may indicate malicious activity as this is a method of probing an environment
References: Status code mappings for your convenience
IIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0
Win32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx'
requiredDataConnectors:
- connectorId: AzureMonitor(IIS)
dataTypes:
- W3CIISLog
tactics:
- InitialAccess
relevantTechniques:
- T1190
query: |
W3CIISLog
| where scStatus !startswith "20" and scStatus !startswith "30" and cIP !startswith "192.168." and cIP != sIP and cIP != "::1"
//Exclude local addresses, using ipv4_is_private operator
|where ipv4_is_private(cIP) == false and cIP !startswith "fe80" and cIP !startswith "::" and cIP !startswith "127."
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), makeset(csUserAgent), ConnectionCount = count()
by Computer, sSiteName, sIP, sPort, cIP, csMethod
| extend csUserAgentPerIPCount = arraylength(set_csUserAgent)
| where csUserAgentPerIPCount between ( 2 .. 15 ) and ConnectionCount <=50
| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = Computer
version: 1.0.1
metadata:
source:
kind: Community
author:
name: Shain
support:
tier: Community
categories:
domains: [ "Security - Network" ]| Sentinel Table | Notes |
|---|---|
W3CIISLog | Ensure this data connector is enabled |
Scenario: Multiple user agents from a single IP during a scheduled system update
Description: A system update process (e.g., using Ansible, Chef, or Puppet) may use different user agents for various tasks (e.g., inventory checks, package installations).
Filter/Exclusion: Exclude IP addresses associated with known system management tools or IP ranges used by internal CI/CD pipelines.
Scenario: Web scraping or data collection tasks using multiple user agents
Description: Legitimate data collection tools (e.g., Scrapy, Selenium, or Apache Nutch) may use different user agents to mimic various browsers or avoid detection.
Filter/Exclusion: Exclude IPs associated with known data collection tools or user agents used by internal data scraping processes.
Scenario: Admin tasks using different user agents for testing or diagnostics
Description: System administrators may use different user agents (e.g., curl, wget, or Postman) to test web services or APIs during troubleshooting.
Filter/Exclusion: Exclude IPs from admin workstations or user agents associated with internal diagnostic tools.
Scenario: Scheduled job execution with varying user agents
Description: Automated jobs (e.g., cron, Task Scheduler, or Airflow) may use different user agents to interact with external APIs or services.
Filter/Exclusion: Exclude IPs from known job scheduling systems or user agents used by internal automation tools.
Scenario: Internal monitoring tools using multiple user agents
Description: Monitoring tools like Nagios, Zabbix, or Prometheus may use different user agents to check the status of various services or endpoints.
Filter/Exclusion: Exclude IPs from internal monitoring systems or user agents associated with known monitoring tools.