Web Application Suspicious Activity: No User Agent

 1[metadata]
 2creation_date = "2020/02/18"
 3maturity = "deprecated"
 4min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 5min_stack_version = "8.3.0"
 6updated_date = "2022/09/13"
 7deprecation_date = "2022/09/13"
 8
 9[rule]
10author = ["Elastic"]
11description = "A request to a web application server contained no identifying user agent string."
12false_positives = [
13    """
14    Some normal applications and scripts may contain no user agent. Most legitimate web requests from the Internet
15    contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is
16    unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity.
17    """,
18]
19index = ["apm-*-transaction*", "traces-apm*"]
20language = "kuery"
21license = "Elastic License v2"
22name = "Web Application Suspicious Activity: No User Agent"
23references = ["https://en.wikipedia.org/wiki/User_agent"]
24risk_score = 47
25rule_id = "43303fd4-4839-4e48-b2b2-803ab060758d"
26severity = "medium"
27tags = ["Elastic", "APM"]
28timestamp_override = "event.ingested"
29type = "query"
30
31query = '''
32url.path:*
33'''
34
35
36[[rule.filters]]
37
38[rule.filters."$state"]
39store = "appState"
40[rule.filters.exists]
41field = "user_agent.original"
42[rule.filters.meta]
43disabled = false
44indexRefName = "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index"
45key = "user_agent.original"
46negate = true
47type = "exists"
48value = "exists"