HTTP RMM User Agent

name: HTTP RMM User Agent
id: 61884b02-0dcf-44c5-9094-db33bac09fa6
version: 5
creation_date: '2026-01-06'
modification_date: '2026-05-13'
author: Raven Tait, Splunk
status: production
type: Anomaly
description: This Splunk query analyzes web logs to identify and categorize user agents, detecting various types of Remote Monitoring and Mangement applications. This activity can signify possible compromised hosts on the network.
data_source:
    - Suricata
search: |-
    | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
      WHERE Web.http_user_agent != null
      BY Web.http_user_agent Web.http_method, Web.url,
         Web.url_length Web.src, Web.dest
    | `drop_dm_object_name("Web")`
    | lookup rmm_user_agents rmm_user_agent AS http_user_agent OUTPUT tool
    | where isnotnull(tool)
    | stats count min(firstTime) as first_seen max(lastTime) as last_seen
      BY tool url http_user_agent
         src dest
    | `security_content_ctime(first_seen)`
    | `security_content_ctime(last_seen)`
    | `http_rmm_user_agent_filter`
how_to_implement: To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good.
known_false_positives: Noise and false positive can be seen if these programs are allowed to be used within corporate network. In this case, a filter is needed.
references:
    - https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_http_user_agents_list.csv
drilldown_searches:
    - name: View the detection results for - "$src$"
      search: '%original_detection_search% | search  src = "$src$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$src$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
intermediate_findings:
    entities:
        - field: src
          type: system
          score: 20
          message: A known rmm user agent $http_user_agent$ was performing a request from $src$.
threat_objects:
    - field: http_user_agent
      type: http_user_agent
analytic_story:
    - Remote Monitoring and Management Software
    - Suspicious User Agents
asset_type: Network
mitre_attack_id:
    - T1071.001
    - T1219
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: network
security_domain: network
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.001/http_user_agents/suricata_rmm.log
          sourcetype: suricata
          source: not_applicable
      test_type: unit