From 50f1938c25b5f63115e1e43dabfcb6ac62a577e3 Mon Sep 17 00:00:00 2001
From: "Joseph A. M." <91287801+josamontiel@users.noreply.github.com>
Date: Sat, 2 Aug 2025 12:42:21 +0100
Subject: [PATCH] Create Hello-World-User-Agent.kql

KQL to check hello-world user agent observed in a new web scraping botnet

https://www.greynoise.io/blog/new-scraper-botnet-concentrated-in-taiwan
---
 Sentinel/Hello-World-User-Agent.kql | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 Sentinel/Hello-World-User-Agent.kql

diff --git a/Sentinel/Hello-World-User-Agent.kql b/Sentinel/Hello-World-User-Agent.kql
new file mode 100644
index 0000000..7ccd589
--- /dev/null
+++ b/Sentinel/Hello-World-User-Agent.kql
@@ -0,0 +1 @@
+CommonSecurityLog | where (HttpUserAgentOriginal =~ @'Hello-World/1.0' and RequestMethod =~ @'GET' and dest_port in (80, 81, 82, 83, 84, 85) and source_ip != '192.168.1.0/24')