We often want to shut off / ratelimit bot traffic on various services that uses generic User-Agents like "python-requests/x.y". In addition such requests with generic UAs break our UA policy.
However many of our custom Icinga checks send generic User-Agents in violation of this. This has the unfortunate side effect of sometimes we shut off harmful bot traffic and in the process break our own monitoring.
After some discussion when this came up on WDQS, we decided that the UA for an icinga check should be wmf-icinga/<script_name> (root@wikimedia.org).