title: Empty User Agent
status: experimental
description: Detects suspicious empty user agent strings in proxy logs
references:
    - https://twitter.com/Carlos_Perez/status/883455096645931008
author: Florian Roth
logsource:
    category: proxy
detection:
    selection:
      # Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString 
      UserAgent: ''
    condition: selection
fields:
    - ClientIP
    - URL
    - UserAgent
falsepositives:
    - Unknown
level: medium