This hunting query surfaces source IP activity using uncommon HTTP User-Agent headers across multiple URI paths in Cisco SD-WAN Manager serviceproxy access logs. It aggregates by source IP and http_user_agent, identifying combinations that touch more than one distinct URI, while constraining to low-volume traffic (requests <= 50) to reduce noise from normal high-volume activity. The hunt is designed to pivot on http_user_agent and src to surface automation, scripted reconnaissance, or exploitation attempts targeting the SD-WAN service proxy. The SPL-based detection parses standard proxy access fields (method, URI, protocol, response code, bytes, duration, src, user_agent, etc.), extracts the URI path, bins events in 5-minute windows, and computes per-src/per-user_agent metrics: number of requests and unique URIs accessed. It then filters for low-volume, multi-URI activity, timestamps the activity window, and applies a final filter via a macro for consolidation. The rule relies on Cisco SD-WAN Envoy service-proxy logs, typically located at /var/log/nms/containers/service-proxy/serviceproxy-access.log, and is intended to help investigators pivot on http_user_agent and src to pinpoint automation or probing activity. Known false positives are not identified, and references provide Cisco security context and related CVE-style material. The detection is implemented as a Splunk search with a dedicated macro (cisco_sd_wan___uncommon_user_agent_multi_uri_activity_filter) to enforce the low-volume, multi-URI constraint.