legal contact
 

weblogs summary useragents

Probably Legit User Agents - threshold >3

sourcetype=whatever ua!="" ua!="*legit*"  | fields ua | cluster labelonly=t field=ua t=0.4 | stats dc(ua) as cua, values(ua) as vua by cluster_label | where cua > 3 | table cluster_label, vua, cua

Anomalous User-Agents - threshold >=3

sourcetype=whatever ua!="" ua!="*legit*"  | fields ua | cluster labelonly=t field=ua t=0.4 | stats dc(ua) as cua, values(ua) as vua by cluster_label | where cua <= 3 | table cluster_label, vua, cua

sourcetype is the squid proxy log