Malformed user agent alert received

Copper Contributor


I am receiving alerts in sentinel as "Malformed user agent" and its showing me the IP address but no other details.


Can someone help on what exactly is this, I have few confusions below,

1. I am using multiple WAF I am not able to understand on which Application gateway it is received.

2. Is this mean some malware is inside my network on some machine, then how do I get detail of that.

3. Or it was just attempt and blocked by WAF.

4. What action do I need to take in this case.


Thanks in advance.



1 Reply

@AnupamN To check the event details associated with the incident, open the incident details and under Events tab click on the hyperlink shown below:


To investigate follow the steps here:


Read upon "Malformed user agent"


Query SecurityAlerts table under Logs: