This detection rule identifies potential masscan traffic utilizing the User Agent header in HTTP requests to a web proxy environment. Masscan is a known high-speed network scanning tool that can uncover open ports and discover services in a rapid manner, making it a useful asset for threat actors conducting reconnaissance on target networks. To detect this, the Splunk logic uses specific queries to inspect web data for indications of the masscan tool by filtering User Agent strings. The process involves querying both regular web data and proxy data to produce a comprehensive view of any suspicious scanning activity detected through masscan user agent signatures. It aggregates data points such as time, host, user, URI path, and source/destination IPs, focusing on events that suggest masscan is being used as part of unauthorized network discovery efforts.