splunk · patel-bhavin · Jan 7, 2026 · Dec 18, 2025 · Jan 6, 2026 · Jan 6, 2026
@@ -1,9 +1,9 @@
 name: HTTP Suspicious Tool User Agent
 id: 1ca76190-4997-4d19-b5bc-9e220b70c7d3
-version: 1
+version: 2
 date: '2025-10-09'
 author: Raven Tait, Splunk
-status: production
+status: deprecated
 type: Anomaly
 description: This Splunk query analyzes web access logs to identify and categorize 
   non-browser user agents, detecting various types of security tools, scripting languages,

@@ -0,0 +1,80 @@
+name: HTTP C2 Framework User Agent
+id: 229dc225-6abe-4d28-89fd-edf874086162
+version: 1
+date: '2025-12-15'
+author: Ravent Tait, Splunk
+status: production
+type: TTP
+description: This Splunk query analyzes web logs to identify and categorize 
+  user agents, detecting various types of c2 frameworks. This activity can signify malicious actors
+  attempting to interact with hosts on the network using known default configurations of command
+  and control tools.
+data_source:
+- Suricata
+search: '| tstats  `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
+  from datamodel=Web where Web.http_user_agent != null by Web.http_user_agent Web.http_method, Web.url, Web.url_length Web.src, Web.dest 
+  | `drop_dm_object_name("Web")`
+  | lookup suspicious_c2_user_agents c2_user_agent AS http_user_agent OUTPUT tool, description
+  | where isnotnull(tool)
+  | stats count min(firstTime) as first_seen max(lastTime) as last_seen
+  by tool url http_user_agent src dest description
+  | `security_content_ctime(first_seen)` | `security_content_ctime(last_seen)`
+  | `http_c2_framework_user_agent_filter`'
+how_to_implement: To successfully implement this search, you need to be ingesting
+  web or proxy logs, or ensure it is being filled by a proxy like device, into the
+  Web Datamodel. For additional filtering, allow list private IP space or restrict
+  by known good.
+known_false_positives: Filtering may be required in some instances depending on legacy system usage, filter as needed.
+references:
+- https://github.com/BC-SECURITY/Malleable-C2-Profiles
+- https://www.keysight.com/blogs/en/tech/nwvs/2021/07/28/koadic-c3-command-control-decoded
+- https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_http_user_agents_list.csv
+drilldown_searches:
+- name: View the detection results for - "$src$"
+  search: '%original_detection_search% | search  src = "$src$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$src$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: A known C2 Framework user agent $http_user_agent$ was performing a request from $src$ to $dest$.
+  risk_objects:
+  - field: src
+    type: system
+    score: 60
+  threat_objects:
+  - field: http_user_agent
+    type: http_user_agent
+  - field: dest
+    type: system
+tags:
+  analytic_story:
+  - Cobalt Strike
+  - Brute Ratel C4
+  - Tuoni
+  - Meterpreter
+  - Spearphishing Attachments
+  - Malicious PowerShell
+  - BishopFox Sliver Adversary Emulation Framework
+  - Suspicious User Agents
+  asset_type: Network
+  mitre_attack_id:
+  - T1071.001
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.001/http_user_agents/suricata_c2.log
+    sourcetype: suricata 
+    source: suricata
@@ -0,0 +1,73 @@
+name: HTTP Malware User Agent
+id: 8c4866e4-f488-4253-8537-7dc4f954c292
+version: 1
+date: '2025-12-16'
+author: Raven Tait, Splunk
+status: production
+type: TTP
+description: This Splunk query analyzes web logs to identify and categorize 
+  user agents, detecting various types of malware. This activity can signify possible
+  compromised hosts on the network.
+data_source:
+- Suricata
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
+  from datamodel=Web where Web.http_user_agent != null by Web.http_user_agent Web.http_method, Web.url, Web.url_length Web.src, Web.dest 
+  | `drop_dm_object_name("Web")`
+  | lookup malware_user_agents malware_user_agent AS http_user_agent OUTPUT malware
+  | where isnotnull(malware)
+  | stats count min(firstTime) as first_seen max(lastTime) as last_seen
+  by malware url http_user_agent src dest
+  | `security_content_ctime(first_seen)` | `security_content_ctime(last_seen)`
+  | `http_malware_user_agent_filter`'
+how_to_implement: To successfully implement this search, you need to be ingesting
+  web or proxy logs, or ensure it is being filled by a proxy like device, into the
+  Web Datamodel. For additional filtering, allow list private IP space or restrict
+  by known good.
+known_false_positives: Filtering may be required in some instances depending on legacy system usage, filter as needed.
+references:
+- https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_http_user_agents_list.csv
+drilldown_searches:
+- name: View the detection results for - "$src$"
+  search: '%original_detection_search% | search  src = "$src$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$src$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: A known malware user agent $http_user_agent$ was performing a request from $src$.
+  risk_objects:
+  - field: src
+    type: system
+    score: 45
+  threat_objects:
+  - field: http_user_agent
+    type: http_user_agent
+tags:
+  analytic_story:
+  - Lokibot
+  - Lumma Stealer
+  - Meduza Stealer
+  - Crypto Stealer
+  - RedLine Stealer
+  - Suspicious User Agents
+  asset_type: Network
+  mitre_attack_id:
+  - T1071.001
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.001/http_user_agents/suricata_malware.log
+    sourcetype: suricata
+    source: suricata
@@ -0,0 +1,73 @@
+name: HTTP PUA User Agent
+id: 21af5447-734f-4549-956b-7a255cb2b032
+version: 1
+date: '2025-12-17'
+author: Raven Tait, Splunk
+status: production
+type: Anomaly
+description: This Splunk query analyzes web logs to identify and categorize user agents, 
+  detecting various types of unwanted applications. This activity can signify possible
+  compromised hosts on the network.
+data_source:
+- Suricata
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
+  from datamodel=Web where Web.http_user_agent != null by Web.http_user_agent Web.http_method, Web.url, Web.url_length Web.src, Web.dest 
+  | `drop_dm_object_name("Web")`
+  | lookup pua_user_agents pua_user_agent AS http_user_agent OUTPUT tool
+  | where isnotnull(tool)
+  | stats count min(firstTime) as first_seen max(lastTime) as last_seen
+  by tool url http_user_agent src dest
+  | `security_content_ctime(first_seen)` | `security_content_ctime(last_seen)`
+  | `http_pua_user_agent_filter`'
+how_to_implement: To successfully implement this search, you need to be ingesting
+  web or proxy logs, or ensure it is being filled by a proxy like device, into the
+  Web Datamodel. For additional filtering, allow list private IP space or restrict
+  by known good.
+known_false_positives: Noise and false positive can be seen if these programs
+  are allowed to be used within corporate network. In this case, a filter is
+  needed.
+references:
+- https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_http_user_agents_list.csv
+drilldown_searches:
+- name: View the detection results for - "$src$"
+  search: '%original_detection_search% | search  src = "$src$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$src$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: A known user agent ($http_user_agent$) associated with unusual programs was performing a request from $src$.
+  risk_objects:
+  - field: src
+    type: system
+    score: 32
+  threat_objects:
+  - field: http_user_agent
+    type: http_user_agent
+tags:
+  analytic_story:
+  - Local Privilege Escalation With KrbRelayUp
+  - BlackSuit Ransomware
+  - Cactus Ransomware
+  - Suspicious User Agents
+  asset_type: Network
+  mitre_attack_id:
+  - T1071.001
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.001/http_user_agents/suricata_pua.log
+    sourcetype: suricata
+    source: suricata
@@ -0,0 +1,71 @@
+name: HTTP RMM User Agent
+id: 61884b02-0dcf-44c5-9094-db33bac09fa6
+version: 1
+date: '2025-12-18'
+author: Raven Tait, Splunk
+status: production
+type: Anomaly
+description: This Splunk query analyzes web logs to identify and categorize user agents, 
+  detecting various types of Remote Monitoring and Mangement applications. This activity 
+  can signify possible compromised hosts on the network.
+data_source:
+- Suricata
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
+  from datamodel=Web where Web.http_user_agent != null by Web.http_user_agent Web.http_method, Web.url, Web.url_length Web.src, Web.dest 
+  | `drop_dm_object_name("Web")`
+  | lookup rmm_user_agents rmm_user_agent AS http_user_agent OUTPUT tool
+  | where isnotnull(tool)
+  | stats count min(firstTime) as first_seen max(lastTime) as last_seen
+  by tool url http_user_agent src dest
+  | `security_content_ctime(first_seen)` | `security_content_ctime(last_seen)`| `http_rmm_user_agent_filter`'
+how_to_implement: To successfully implement this search, you need to be ingesting
+  web or proxy logs, or ensure it is being filled by a proxy like device, into the
+  Web Datamodel. For additional filtering, allow list private IP space or restrict
+  by known good.
+known_false_positives: Noise and false positive can be seen if these programs
+  are allowed to be used within corporate network. In this case, a filter is
+  needed.
+references:
+- https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_http_user_agents_list.csv
+drilldown_searches:
+- name: View the detection results for - "$src$"
+  search: '%original_detection_search% | search  src = "$src$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$src$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: A known rmm user agent $http_user_agent$ was performing a request from $src$.
+  risk_objects:
+  - field: src
+    type: system
+    score: 44
+  threat_objects:
+  - field: http_user_agent
+    type: http_user_agent
+tags:
+  analytic_story:
+  - Remote Monitoring and Management Software
+  - Suspicious User Agents
+  asset_type: Network
+  mitre_attack_id:
+  - T1071.001
+  - T1219
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.001/http_user_agents/suricata_rmm.log
+    sourcetype: suricata
+    source: suricata
@@ -0,0 +1,78 @@
+name: HTTP Scripting Tool User Agent
+id: 04430b4e-5ca8-4e88-98b5-d6bcf54f8393
+version: 1
+date: '2025-10-09'
+author: Raven Tait, Splunk
+status: production
+type: Anomaly
+description: This Splunk query analyzes web access logs to identify and categorize 
+  non-browser user agents, detecting various types of security tools, scripting languages,
+  automation frameworks, and suspicious patterns. This activity can signify malicious actors
+  attempting to interact with web endpoints in non-standard ways.
+data_source:
+- Nginx Access
+search: '`nginx_access_logs`
+  | eval http_user_agent = lower(http_user_agent)
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | `drop_dm_object_name(Web)`
+  | lookup scripting_tools_user_agents tool_user_agent AS http_user_agent OUTPUT tool
+  | where isnotnull(tool)
+  | rename dest_ip as dest
+  | stats count min(firstTime) as first_seen max(lastTime) as last_seen values(tool) as tool 
+  by http_user_agent dest src_ip status
+  | `http_scripting_tool_user_agent_filter`'
+how_to_implement: This analytic necessitates the collection of web data, which can
+  be achieved through Splunk Stream or by utilizing the Splunk Add-on for Apache Web
+  Server. No additional configuration is required for this analytic.
+known_false_positives: False positives may be present if the activity is part of diagnostics
+  or testing. Filter as needed.
+references:
+  - https://portswigger.net/web-security/request-smuggling#what-is-http-request-smuggling
+  - https://portswigger.net/research/http1-must-die
+  - https://www.vaadata.com/blog/what-is-http-request-smuggling-exploitations-and-security-best-practices/
+  - https://www.securityweek.com/new-http-request-smuggling-attacks-impacted-cdns-major-orgs-millions-of-websites/
+  - https://github.com/SigmaHQ/sigma/blob/master/rules/web/proxy_generic/proxy_ua_hacktool.yml
+  - https://help.aikido.dev/zen-firewall/miscellaneous/bot-protection-details
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: Known scripting tool was used against a web request.
+    The source IP is $src_ip$ and the destination is $dest$.
+  risk_objects:
+  - field: dest
+    type: system
+    score: 31
+  threat_objects:
+  - field: src_ip
+    type: ip_address
+tags:
+  analytic_story:
+  - HTTP Request Smuggling
+  - Suspicious User Agents
+  asset_type: Network
+  mitre_attack_id:
+  - T1071.001
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/request_smuggling/nginx_scripting_tools.log
+    source: nginx:plus:kv
+    sourcetype: nginx:plus:kv