This detection rule utilizes machine learning to identify rare and unusual user agents in web traffic, indicating potential malicious activity by processes other than standard web browsers. User agents, which are strings that identify applications interacting with web servers, can be exploited by attackers for activities like command-and-control, persistence, or data exfiltration. The rule flags any uncommon user agent reported over network traffic, particularly those originating from local sources to remote destinations, as they may signify suspicious operations such as scanning or bot activity. While unusual user agents may sometimes come from legitimate applications, the detection of a rare user agent is a critical indicator of compromise, making this rule essential for early threat detection and response.