KQL Search

Query Details

HomeAI ToolsDevice Query

AAD Sign In Events Beta Suspicious User Agent

Query

//This query leverages AADSignInEventsBeta (XDR only table) to look for suspicious User agents
let UserAgents = externaldata(UserAgent: string)[@"https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/MDA/BannedUserAgentsList.txt"] with (format="txt", ignoreFirstRecord=False); //I switched to txt after some time so ignore the inconsistency with the screenshot
AADSignInEventsBeta
//| where ErrorCode == 0 //Uncomment if you only want successes
| where UserAgent has_any(UserAgents)
| summarize count() by UserAgent //https://user-agents.net/lookup can be a good reason to lookup strings or https://useragents.io/parse
//| summarize count() by UserAgent,AccountUpn,Application //Uncomment to see users and applications

Explanation

This query is designed to identify potentially suspicious user agents from Azure Active Directory sign-in events. Here's a simple breakdown of what it does:

  1. Load Suspicious User Agents List: It starts by loading a list of suspicious user agents from an external text file hosted on GitHub. This list is used to identify potentially malicious or unwanted user agents.

  2. Filter Sign-In Events: The query examines sign-in events from the AADSignInEventsBeta table, which contains data about user sign-ins.

  3. Match User Agents: It filters these events to find those where the user agent matches any of the suspicious user agents from the list.

  4. Count Occurrences: The query then counts how many times each suspicious user agent appears in the sign-in events.

  5. Optional Filters: There are commented-out lines that, if activated, would further refine the results:

    • One line would filter the results to only include successful sign-ins (where ErrorCode is 0).
    • Another line would provide additional details by counting occurrences by user agent, user account, and application.

Overall, this query helps in identifying and analyzing sign-in attempts that use potentially harmful or unauthorized user agents, which could be indicative of suspicious activity.

Details

Jay Kerai profile picture

Jay Kerai

Released: November 28, 2024

Tables

AADSignInEventsBeta

Keywords

AADSignInEventsBetaUserUserAgentAccountUpnApplication

Operators

letexternaldatawithwherehas_anysummarizeby

Actions