diff --git a/use-cases/web-logs.md b/use-cases/web-logs.md
index 7c4d75a885..34579f2619 100644
--- a/use-cases/web-logs.md
+++ b/use-cases/web-logs.md
@@ -16,6 +16,14 @@ Using the fields as represented here is not expected to conflict with ECS, but m
 | <a name="http.response.status_code"></a>*http.response.status_code* | *Http response status code.* | (use case) | long | `404` |
 | <a name="http.response.body"></a>*http.response.body* | *The full http response body.* | (use case) | keyword | `Hello world` |
 | <a name="http.version"></a>*http.version* | *Http version.* | (use case) | keyword | `1.1` |
+| <a name="user_agent.&ast;"></a>*user_agent.&ast;* | *The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string.<br/>* |  |  |  |
+| <a name="user_agent.original"></a>*user_agent.original* | *Unparsed version of the user_agent.* | (use case) | keyword |  |
+| <a name="user_agent.device"></a>*user_agent.device* | *Name of the physical device.* | (use case) | keyword |  |
+| <a name="user_agent.version"></a>*user_agent.version* | *Version of the physical device.* | (use case) | keyword |  |
+| <a name="user_agent.major"></a>*user_agent.major* | *Major version of the user agent.* | (use case) | long |  |
+| <a name="user_agent.minor"></a>*user_agent.minor* | *Minor version of the user agent.* | (use case) | long |  |
+| <a name="user_agent.patch"></a>*user_agent.patch* | *Patch version of the user agent.* | (use case) | keyword |  |
+| <a name="user_agent.name"></a>*user_agent.name* | *Name of the user agent.* | (use case) | keyword | `Chrome` |
 
 
 
diff --git a/use-cases/web-logs.yml b/use-cases/web-logs.yml
index 8ad1a81b82..3594b049cc 100644
--- a/use-cases/web-logs.yml
+++ b/use-cases/web-logs.yml
@@ -57,3 +57,55 @@ fields:
       description: >
         Http version.
       example: 1.1
+
+- name: user_agent
+  title: User agent
+  group: 2
+  description: >
+    The user_agent fields normally come from a browser request. They often
+    show up in web service logs coming from the parsed user agent string.
+  type: group
+  fields:
+
+    - name: original
+      level: extended
+      type: keyword
+      description: >
+        Unparsed version of the user_agent.
+
+    - name: device
+      level: extended
+      type: keyword
+      description: >
+        Name of the physical device.
+
+    - name: version
+      level: extended
+      type: keyword
+      description: >
+        Version of the physical device.
+
+    - name: major
+      level: extended
+      type: long
+      description: >
+        Major version of the user agent.
+
+    - name: minor
+      level: extended
+      type: long
+      description: >
+        Minor version of the user agent.
+
+    - name: patch
+      level: extended
+      type: keyword
+      description: >
+        Patch version of the user agent.
+
+    - name: name
+      level: extended
+      type: keyword
+      example: Chrome
+      description: >
+        Name of the user agent.