cloud1
cloud2
cloud3
cloud4
cloud5
cloud6
← Back to annotator catalog
User-Agent anomaly signal illustration
Annotator ua

User-Agent anomaly

User-Agent signals look missing, inconsistent, or indicative of non-browser tooling.

Attack family · Tooling fingerprint and evasion Phase · Reconnaissance, exploit staging, and disguise Risk · Medium
How It Works Recent Real Samples

What This Annotator Watches

This explanation is derived from the live annotator implementation, not hand-waved catalog copy.
Focus
  • Missing, empty, or malformed user-agent values
  • Scanner, CLI, library, and headless browser signatures
  • Spoofing and improbable token combinations inside the user-agent string
Logic
  • The annotator escalates from weak anomalies to stronger tool signatures.
  • Known scanner tokens and headless frameworks carry stronger weight than generic short user-agents.
  • Output is best read together with scan velocity, method anomalies, and auth probing.
Attack Family
Tooling fingerprint and evasion
Phase · Reconnaissance, exploit staging, and disguise Risk · Medium
The User-Agent often reveals whether the client is a browser, a scanner, a library, or an intentionally disguised tool. That gives defenders a fast clue about how much intent and automation may sit behind the traffic.
Damage Patterns
  • Suspicious User-Agent strings often precede endpoint enumeration, auth probing, and exploit delivery.
  • Malformed or rotating User-Agent values can degrade attribution and make ordinary request logs harder to trust.
Incident Lore
  • Blue teams repeatedly discover that early scan waves were visible in strange UA strings long before the campaign was triaged seriously.
  • Attackers often start with obvious tooling and only improve their disguise if defenders fail to react.
How To Read It
A malformed or tooling-oriented user-agent is a powerful supporting signal, but rarely the whole story by itself.
Defender Takeaway
This is rarely the whole case by itself, but it is often the first tell that the traffic belongs to a toolchain rather than a person.
Catalog Definition
Flags anomalous User-Agent behavior such as missing UA, obviously synthetic UA strings, improbable combinations, or frequent UA switching. This supports distinguishing normal browsing from automation and tooling. Some legitimate privacy tools, enterprise stacks, and monitoring agents can trigger this, so interpret alongside other signals (velocity, endpoint diversity, error rates).

10 Most Recent Real Samples

Weekly cached from live annotated access events so the catalog stays fast.
Week
2026W16
Lookback
30 days
Total matched
152579
Latest sample
Apr 13, 2026 • 00:59
Top rules
ua:very_short · 10
Top requester orgs
Microsoft Azure Cloud (canadacentral) · 10
Severity mix
8 · 10
Method mix
GET · 10
GET 404 8
Apr 13, 2026 • 00:59
/new4.php
Very short User-Agent string
IP 20.104.245.70 Subnet 20.104.245.0/24 Org Microsoft Azure Cloud (canadacentral) Country Canada Rule ua:very_short
GET 301 8
Apr 13, 2026 • 00:59
/new4.php
Very short User-Agent string
IP 20.104.245.70 Subnet 20.104.245.0/24 Org Microsoft Azure Cloud (canadacentral) Country Canada Rule ua:very_short
GET 404 8
Apr 13, 2026 • 00:59
/ssh3ll.php
Very short User-Agent string
IP 20.104.245.70 Subnet 20.104.245.0/24 Org Microsoft Azure Cloud (canadacentral) Country Canada Rule ua:very_short
GET 301 8
Apr 13, 2026 • 00:59
/ssh3ll.php
Very short User-Agent string
IP 20.104.245.70 Subnet 20.104.245.0/24 Org Microsoft Azure Cloud (canadacentral) Country Canada Rule ua:very_short
GET 404 8
Apr 13, 2026 • 00:59
/i6z19N.php
Very short User-Agent string
IP 20.104.245.70 Subnet 20.104.245.0/24 Org Microsoft Azure Cloud (canadacentral) Country Canada Rule ua:very_short
GET 301 8
Apr 13, 2026 • 00:59
/i6z19N.php
Very short User-Agent string
IP 20.104.245.70 Subnet 20.104.245.0/24 Org Microsoft Azure Cloud (canadacentral) Country Canada Rule ua:very_short
GET 404 8
Apr 13, 2026 • 00:59
/wpls.php
Very short User-Agent string
IP 20.104.245.70 Subnet 20.104.245.0/24 Org Microsoft Azure Cloud (canadacentral) Country Canada Rule ua:very_short
GET 301 8
Apr 13, 2026 • 00:59
/wpls.php
Very short User-Agent string
IP 20.104.245.70 Subnet 20.104.245.0/24 Org Microsoft Azure Cloud (canadacentral) Country Canada Rule ua:very_short
GET 404 8
Apr 13, 2026 • 00:59
/kma.php
Very short User-Agent string
IP 20.104.245.70 Subnet 20.104.245.0/24 Org Microsoft Azure Cloud (canadacentral) Country Canada Rule ua:very_short
GET 301 8
Apr 13, 2026 • 00:59
/kma.php
Very short User-Agent string
IP 20.104.245.70 Subnet 20.104.245.0/24 Org Microsoft Azure Cloud (canadacentral) Country Canada Rule ua:very_short