← Back to Explore
splunk_escuTTP
HTTP Malware User Agent
This Splunk query analyzes web logs to identify and categorize user agents, detecting various types of malware. This activity can signify possible compromised hosts on the network.
Detection Query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
WHERE Web.http_user_agent != null
BY Web.http_user_agent Web.http_method, Web.url,
Web.url_length Web.src, Web.dest
| `drop_dm_object_name("Web")`
| lookup malware_user_agents malware_user_agent AS http_user_agent OUTPUT malware
| where isnotnull(malware)
| stats count min(firstTime) as first_seen max(lastTime) as last_seen
BY malware url http_user_agent
src dest
| `security_content_ctime(first_seen)`
| `security_content_ctime(last_seen)`
| `http_malware_user_agent_filter`Author
Raven Tait, Splunk
Data Sources
Suricata
References
Raw Content
name: HTTP Malware User Agent
id: 8c4866e4-f488-4253-8537-7dc4f954c292
version: 5
creation_date: '2026-01-06'
modification_date: '2026-05-13'
author: Raven Tait, Splunk
status: production
type: TTP
description: This Splunk query analyzes web logs to identify and categorize user agents, detecting various types of malware. This activity can signify possible compromised hosts on the network.
data_source:
- Suricata
search: |-
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
WHERE Web.http_user_agent != null
BY Web.http_user_agent Web.http_method, Web.url,
Web.url_length Web.src, Web.dest
| `drop_dm_object_name("Web")`
| lookup malware_user_agents malware_user_agent AS http_user_agent OUTPUT malware
| where isnotnull(malware)
| stats count min(firstTime) as first_seen max(lastTime) as last_seen
BY malware url http_user_agent
src dest
| `security_content_ctime(first_seen)`
| `security_content_ctime(last_seen)`
| `http_malware_user_agent_filter`
how_to_implement: To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good.
known_false_positives: Filtering may be required in some instances depending on legacy system usage, filter as needed.
references:
- https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_http_user_agents_list.csv
drilldown_searches:
- name: View the detection results for - "$src$"
search: '%original_detection_search% | search src = "$src$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
finding:
title: A known malware user agent $http_user_agent$ was performing a request from $src$.
entity:
field: src
type: system
score: 50
threat_objects:
- field: http_user_agent
type: http_user_agent
analytic_story:
- Lokibot
- Lumma Stealer
- Meduza Stealer
- Crypto Stealer
- RedLine Stealer
- Suspicious User Agents
asset_type: Network
mitre_attack_id:
- T1071.001
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: network
security_domain: network
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.001/http_user_agents/suricata_malware.log
sourcetype: suricata
source: not_applicable
test_type: unit