Hackers are people too.
Sometimes it is difficult to remember that fact based on the Hollywood attack stories we may hear on the news, in presentations and ghost stories. But it is true, hackers are people. They know how they want things done, and they reuse the same tools. One of those shortcuts they may use is the HTTP Accept-Language header.
HTTP is an application protocol that browsers use to communicate to web servers. A fundamental part of that communicate is the use of HTTP headers. HTTP headers are traditionally sent as text with each header on a new line. The HTTP Accept-Language header is used by a browser to indicate to the web server the language(s) in which to present the reply. Hackers may be lazy, not thorough, or simply sloppy and forget to change these settings. These settings can also be used to get an idea of the country in which an attacker lives though it is not a very high fidelity indicator. Security Analytics has insight into the Accept-Language header, and can extract this potential indicator.
Here is a link to a parser that takes this HTTP Accept-Language header and extracts the language keys and places them in the language meta key in a human readable format. This allows the analyst to query for certain languages, or create reports looking for abnormal languages in their environment. Further documentation on the parser is available here.
Thanks for taking the time to read, and hopefully you find this useful in your environment.
UPDATE- here is an updated version of the lua parser to improve performance.