Malformed user agent alert received

%3CLINGO-SUB%20id%3D%22lingo-sub-1955093%22%20slang%3D%22en-US%22%3EMalformed%20user%20agent%20alert%20received%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1955093%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI%20am%20receiving%20alerts%20in%20sentinel%20as%20%22Malformed%20user%20agent%22%20and%20its%20showing%20me%20the%20IP%20address%20but%20no%20other%20details.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20someone%20help%20on%20what%20exactly%20is%20this%2C%20I%20have%20few%20confusions%20below%2C%3C%2FP%3E%3CP%3E1.%20I%20am%20using%20multiple%20WAF%20I%20am%20not%20able%20to%20understand%20on%20which%20Application%20gateway%20it%20is%20received.%3C%2FP%3E%3CP%3E2.%20Is%20this%20mean%20some%20malware%20is%20inside%20my%20network%20on%20some%20machine%2C%20then%20how%20do%20I%20get%20detail%20of%20that.%3C%2FP%3E%3CP%3E3.%20Or%20it%20was%20just%20attempt%20and%20blocked%20by%20WAF.%3C%2FP%3E%3CP%3E4.%20What%20action%20do%20I%20need%20to%20take%20in%20this%20case.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1955216%22%20slang%3D%22en-US%22%3ERe%3A%20Malformed%20user%20agent%20alert%20received%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1955216%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F890734%22%20target%3D%22_blank%22%3E%40AnupamN%3C%2FA%3E%26nbsp%3BTo%20check%20the%20event%20details%20associated%20with%20the%20incident%2C%20open%20the%20incident%20details%20and%20under%20Events%20tab%20click%20on%20the%20hyperlink%20shown%20below%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Joseph-Abraham_1-1607067203296.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237661i7CC7826758B3319F%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Joseph-Abraham_1-1607067203296.png%22%20alt%3D%22Joseph-Abraham_1-1607067203296.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3ETo%20investigate%20follow%20the%20steps%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Ftutorial-investigate-cases%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Ftutorial-investigate-cases%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERead%20upon%20%22Malformed%20user%20agent%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQuery%20SecurityAlerts%20table%20under%20Logs%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Joseph-Abraham_2-1607067938097.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F237663i0F7B129E2BE73A64%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Joseph-Abraham_2-1607067938097.png%22%20alt%3D%22Joseph-Abraham_2-1607067938097.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Hi,

I am receiving alerts in sentinel as "Malformed user agent" and its showing me the IP address but no other details.

 

Can someone help on what exactly is this, I have few confusions below,

1. I am using multiple WAF I am not able to understand on which Application gateway it is received.

2. Is this mean some malware is inside my network on some machine, then how do I get detail of that.

3. Or it was just attempt and blocked by WAF.

4. What action do I need to take in this case.

 

Thanks in advance.

 

 

1 Reply

@AnupamN To check the event details associated with the incident, open the incident details and under Events tab click on the hyperlink shown below:

Joseph-Abraham_1-1607067203296.png

To investigate follow the steps here: https://docs.microsoft.com/en-us/azure/sentinel/tutorial-investigate-cases

 

Read upon "Malformed user agent"

 

Query SecurityAlerts table under Logs:

 

Joseph-Abraham_2-1607067938097.png