Rank UserAgent strings over all Nginx and ALB logs
This query will characterize activity by UserAgent over ALB and Nginx logs. This can be useful in an investigation, if an actor has a known set of characteristic UserAgents.
SELECT useragent,sum(row_count) AS total_rowsFROM (SELECT useragent,count(1) AS row_countFROM panther_logs.public.aws_albWHERE p_occurs_between('2021-01-01', '2021-01-02')GROUP BY useragentUNION ALLSELECT httpuseragent AS useragent,count(1) AS row_countFROM panther_logs.public.nginx_accessWHERE p_occurs_between('2021-01-01', '2021-01-02')GROUP BY httpuseragent)GROUP BY useragentORDER BY total_rows DESC
SELECT useragent,sum(row_count) AS total_rowsFROM (SELECT useragent,count(1) AS row_countFROM panther_logs.aws_albWHERE p_occurs_between('2021-01-01', '2021-01-02')GROUP BY useragentUNION ALLSELECT httpuseragent AS useragent,count(1) AS row_countFROM panther_logs.nginx_accessWHERE p_occurs_between('2021-01-01', '2021-01-02')GROUP BY httpuseragent)GROUP BY useragentORDER BY total_rows DESC
