Detection: HTTP Scripting Tool User Agent

Updated Date: 2026-06-15 ID: 04430b4e-5ca8-4e88-98b5-d6bcf54f8393 Author: Raven Tait, Splunk Type: Anomaly Product: Splunk Enterprise Security

Description

This Splunk query analyzes web access logs to identify and categorize non-browser user agents, detecting various types of security tools, scripting languages, automation frameworks, and suspicious patterns. This activity can signify malicious actors attempting to interact with web endpoints in non-standard ways.

Search

 1
 2| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
 3from datamodel=Web where
 4Web.http_user_agent =*
 5NOT Web.http_user_agent IN (
 6    "-",
 7    "unknown"
 8)
 9by Web.http_user_agent Web.dest Web.src Web.status
10
11| `security_content_ctime(firstTime)`
12
13| `security_content_ctime(lastTime)`
14
15| `drop_dm_object_name(Web)`
16
17| eval http_user_agent = lower(http_user_agent)
18
19| lookup scripting_tools_user_agents tool_user_agent AS http_user_agent OUTPUT tool
20
21| where isnotnull(tool)
22
23| stats count
24    min(firstTime) as first_seen
25    max(lastTime) as last_seen
26    values(tool) as tool
27by http_user_agent dest src status
28
29| `security_content_ctime(first_seen)`
30
31| `security_content_ctime(last_seen)`
32
33| `http_scripting_tool_user_agent_filter`

Data Source

Name	Platform	Sourcetype	Source
Nginx Access	Other	`'nginx:plus:kv'`	`'/var/log/nginx/access.log'`

Macros Used

Name	Value
security_content_ctime	`convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)`
http_scripting_tool_user_agent_filter	`search *`

http_scripting_tool_user_agent_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1071.001	Web Protocols	Command and Control

Command and Control

DE.AE

CIS 13

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Finding (Notable)	No
Creates Intermediate Finding (Risk Event)	Yes

Anomaly detections generate Intermediate Findings (Risk Events). They do not generate a Finding (Notable) directly.

Implementation

This analytic necessitates the collection of web data, which can be achieved through Splunk Stream or by utilizing the Splunk Add-on for Apache Web Server. No additional configuration is required for this analytic.

Known False Positives

False positives may be present if the activity is part of diagnostics or testing. Filter as needed.

Associated Analytic Story

Intermediate Findings

Message	Entity Field	Entity Type	Risk Score
Known scripting tool was used against a web request. The source IP/Host is $src$ and the destination is $dest$.	dest	system	20

Threat Objects

Field	Type
src	ip_address
http_user_agent	http_user_agent

References

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`nginx:plus:kv`	`nginx:plus:kv`
Integration	✅ Passing	Dataset	`nginx:plus:kv`	`nginx:plus:kv`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 6