Eric Partington

Content - Domains with one UserAgent

Blog Post created by Eric Partington Employee on Jun 3, 2018

I leverage many sources to get ideas around spotting anomalies in an environment. One of the sources I leverage comes from the following Twitter account: Jack Crook (@jackcr).  @Jackcr provides many ideas around methods and approaches to separate known from unknown or common from rare.


This post inspired me to see if something similar could be implemented using RSA NetWitness Platform.


The basis for the report was to look for outbound communications where a domain only has one useragent accessing it (over a period of time) and that useragent contains 'mozilla'.


After a few tests in the lab this was the rule that was developed.


name: "DomainsWithOneUserAgent(1)"
description: ""
path_for_export: "rsa-custom/rareUaDomain/DomainsWithOneUserAgent(1)"
query {
data_source_type: NWDB
netwitness_query {
select: ",countdistinct(client),distinct(client),org.dst,countdistinct(ip.src)"
where: " exists && client exists && direction = \'outbound\' && client contains \'mozilla\'"
group_by_keys: "AGGREGATE"
order_by_keys {
column_name: "countdistinct(client)"
sort_order: ASCENDING
order_by_keys {
column_name: ""
sort_order: ASCENDING
limit_results_count: 100
then_clause: "max_threshold(1,countdistinct(client))"
agg_session_threshold: 0
group_by: ""
group_by: "org.dst"
alias_names: ""
data_source_name: ""

We limit the returned results to top 100, and looking for results that have a max threshold for count(distinct(client)) of 1 to limit to domains that have only one unique domain accessing it over the reporting time frame.


Results look like this (lab results)

The report is included at the github link below.  As always, I'm curious to see how this tested on a larger network to see validity and if tweaks are necessary.  If you have any feedback please let me know.


GitHub - epartington/rsa_nw_re_useragent_domain_rare 


Feedback always appreciated


Happy Hunting