You will not detect APTs with this but you will weed out low hanging fruit and not too savvy pentesters :)
user_agent IN ("burp" "burpcollaborator.net" "qualys" "nexpose" "OpenVAS" "Nikto" "Meterpreter" "IceWeasel" "DirB" "Comodo" "Tripwire" "Retina" "MBSA" "ImmuniWeb" "Netsparker" "Acunetix" "Intruder" "WinHttp.WinHttpRequest" "nmap" "CVE" "base64" "eval" "ftp" "/script" "javascript" "alert" ) NOT (user_agent="google") | eval detection_description=if(like(user_agent,"%WinHttpRequest%"),"CScript or VBScript Call",detection_description) | eval detection_description=if(like(user_agent,"%Iceweasel%"),"Potentially Kali",detection_description) | eval detection_description=if(like(user_agent,"%Meterpreter%"),"Meterpreter",detection_description)