AAD Sign In Events Beta Suspicious User Agent
Query
//Legacy Query, please use: https://github.com/jkerai1/KQL-Queries/blob/main/Defender/EntraIdSignInEvents%20-%20Suspicious%20User%20agent.kql
//This query leverages AADSignInEventsBeta (XDR only table) to look for suspicious User agents
let UserAgents = externaldata(UserAgent: string)[@"https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/MDA/BannedUserAgentsList.txt"] with (format="txt", ignoreFirstRecord=False); //I switched to txt after some time so ignore the inconsistency with the screenshot
AADSignInEventsBeta
//| where ErrorCode == 0 //Uncomment if you only want successes
| where UserAgent has_any(UserAgents)
| summarize count() by UserAgent //https://user-agents.net/lookup can be a good reason to lookup strings or https://useragents.io/parse
//| summarize count() by UserAgent,AccountUpn,Application //Uncomment to see users and applicationsExplanation
This query is designed to identify suspicious user agents from Azure Active Directory (AAD) sign-in events using a specific table called AADSignInEventsBeta. Here's a simple breakdown of what the query does:
-
Load Suspicious User Agents List:
- It imports a list of suspicious user agents from an external text file hosted on GitHub. This list is stored in a variable called
UserAgents.
- It imports a list of suspicious user agents from an external text file hosted on GitHub. This list is stored in a variable called
-
Filter Sign-In Events:
- The query looks at the
AADSignInEventsBetatable, which contains sign-in event data. - It filters these events to find those where the
UserAgentmatches any of the suspicious user agents from the imported list.
- The query looks at the
-
Summarize Results:
- It counts the occurrences of each suspicious user agent found in the sign-in events and summarizes the results by
UserAgent.
- It counts the occurrences of each suspicious user agent found in the sign-in events and summarizes the results by
-
Optional Filters and Summarization:
- There are commented-out lines that can be used to refine the query further:
- Uncommenting
| where ErrorCode == 0would filter the results to only include successful sign-ins. - Uncommenting
| summarize count() by UserAgent,AccountUpn,Applicationwould provide a more detailed summary, showing counts by user agent, user account, and application.
- Uncommenting
- There are commented-out lines that can be used to refine the query further:
Overall, this query helps in identifying potentially malicious or unauthorized access attempts by focusing on known suspicious user agents.
Details

Jay Kerai
Released: February 17, 2026
Tables
AADSignInEventsBeta
Keywords
UserAgentsAADSignInEventsBetaUserAgentAccountUpnApplication
Operators
letexternaldatawithwherehas_anysummarizeby