The HTTP C2 Framework User Agent rule is designed to detect interactions with command and control (C2) frameworks by analyzing user agent strings in web logs. Utilizing a Splunk query on web logs, it identifies and categorizes user agents that align with known C2 tools. This detection method flags potentially suspicious user agent activity indicative of malicious actors executing commands on target hosts within the network. The search operates on the Web datamodel, checking for non-null user agent entries and cross-referencing them against a known list of suspicious C2 user agents. The resulting data provides vital forensic data on the first and last sightings of the tool, its usage in web requests, and network details such as source and destination IPs. Implementation requires ingesting accurate web or proxy logs, and refining results might be necessary based on existing network conditions—thus allowing for accurate identification without overwhelming false positives from legacy systems.