Challenge 6 — Count the Scanners¶

Difficulty: Hard — Skills: Aggregation, deduplication, User-Agent analysis

Scenario¶

Your WAF detected automated vulnerability scanner traffic coming from the 10.99.1.x IP range. Multiple scanning tools were used, each with a different User-Agent string. They probed paths like /admin, /phpmyadmin/, /.env, /web.config, and other sensitive endpoints.

Your mission: Determine how many distinct scanner tools (unique User-Agent strings) were used in this scan.

Prerequisites¶

Lab infrastructure deployed
WAF logs flowing to Log Analytics

Generate Challenge Traffic¶

Script: challenge-traffic.ps1

cd scripts/
.\challenge-traffic.ps1 -TargetUrl "http://<your-appgw-fqdn>" -Challenge 6

Wait 10-15 minutes for logs to appear in Log Analytics before investigating.

Investigation¶

Filter by the scanner IP range, extract the User-Agent strings, and count the distinct values.

Hint 1 — Filter by IP range

Use where clientIp_s startswith "10.99.1." to isolate scanner traffic.

Hint 2 — Count distinct User-Agents

Use dcount(userAgent_s) or summarize by UA | count to find unique scanners.

Hint 3 — KQL Query

AzureDiagnostics
| where Category == "ApplicationGatewayFirewallLog"
| where clientIp_s startswith "10.99.1."
| extend UA = column_ifexists("userAgent_s", "")
| where UA != ""
| summarize RequestCount = count() by UA
| count

Or to see the individual scanners:

AzureDiagnostics
| where Category == "ApplicationGatewayFirewallLog"
| where clientIp_s startswith "10.99.1."
| extend UA = column_ifexists("userAgent_s", "")
| where UA != ""
| summarize RequestCount = count() by UA
| order by RequestCount desc

Submit Your Answer¶

How many distinct scanner tools were detected?

{% include "challenges/challenge-ui.html" %}

[:octicons-arrow-left-24: Challenge 5](challenge-05.md)

[:octicons-arrow-left-24: All Challenges](index.md)