Challenge 4 — Bot Detective¶

Difficulty: Medium — Skills: User-Agent analysis, bot detection

Scenario¶

A malicious bot has been crawling your entire site — scanning admin pages, configuration files, backup files, and sensitive endpoints. It uses a custom User-Agent string that doesn't match any known browser or legitimate bot.

The bot made approximately 60 requests across 20 different paths.

Your mission: Identify the bot's User-Agent string.

Prerequisites¶

Lab infrastructure deployed
WAF logs flowing to Log Analytics
Bot Manager ruleset enabled (default in workshop setup)

Generate Challenge Traffic¶

Script: challenge-traffic.ps1

cd scripts/
.\challenge-traffic.ps1 -TargetUrl "http://<your-appgw-fqdn>" -Challenge 4

Wait 10-15 minutes for logs to appear in Log Analytics before investigating.

Investigation¶

Look for unusual User-Agent strings in the WAF or Access logs. The bot's UA won't match standard browsers.

Hint 1 — Where to find User-Agent

Check the userAgent_s field in WAF logs, or look at the Access Log for non-standard UAs.

Hint 2 — Filter out legitimate browsers

Legitimate browsers contain Mozilla. Filter for UAs that don't match known patterns.

Hint 3 — KQL Query

AzureDiagnostics
| where Category == "ApplicationGatewayFirewallLog"
| where ruleSetType_s == "Microsoft_BotManagerRuleSet"
| extend UA = column_ifexists("userAgent_s", "")
| summarize Count = count() by UA
| where UA !contains "Mozilla" and UA != ""
| order by Count desc

Submit Your Answer¶

What is the exact User-Agent string of the malicious bot?

{% include "challenges/challenge-ui.html" %}

[:octicons-arrow-left-24: Challenge 3](challenge-03.md)

[Challenge 5 :octicons-arrow-right-24:](challenge-05.md)