Query Details

AAD Sign In Events Beta Suspicious User Agent

Query

//Legacy Query, please use: https://github.com/jkerai1/KQL-Queries/blob/main/Defender/EntraIdSignInEvents%20-%20Suspicious%20User%20agent.kql
//This query leverages AADSignInEventsBeta (XDR only table) to look for suspicious User agents
let UserAgents = externaldata(UserAgent: string)[@"https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/MDA/BannedUserAgentsList.txt"] with (format="txt", ignoreFirstRecord=False); //I switched to txt after some time so ignore the inconsistency with the screenshot
AADSignInEventsBeta
//| where ErrorCode == 0 //Uncomment if you only want successes
| where UserAgent has_any(UserAgents)
| summarize count() by UserAgent //https://user-agents.net/lookup can be a good reason to lookup strings or https://useragents.io/parse
//| summarize count() by UserAgent,AccountUpn,Application //Uncomment to see users and applications

Explanation

This query is designed to identify suspicious user agents from Azure Active Directory (AAD) sign-in events using a specific table called AADSignInEventsBeta. Here's a simple breakdown of what the query does:

  1. Load Suspicious User Agents List:

    • It imports a list of suspicious user agents from an external text file hosted on GitHub. This list is stored in a variable called UserAgents.
  2. Filter Sign-In Events:

    • The query looks at the AADSignInEventsBeta table, which contains sign-in event data.
    • It filters these events to find those where the UserAgent matches any of the suspicious user agents from the imported list.
  3. Summarize Results:

    • It counts the occurrences of each suspicious user agent found in the sign-in events and summarizes the results by UserAgent.
  4. Optional Filters and Summarization:

    • There are commented-out lines that can be used to refine the query further:
      • Uncommenting | where ErrorCode == 0 would filter the results to only include successful sign-ins.
      • Uncommenting | summarize count() by UserAgent,AccountUpn,Application would provide a more detailed summary, showing counts by user agent, user account, and application.

Overall, this query helps in identifying potentially malicious or unauthorized access attempts by focusing on known suspicious user agents.

Details

Jay Kerai profile picture

Jay Kerai

Released: February 17, 2026

Tables

AADSignInEventsBeta

Keywords

UserAgentsAADSignInEventsBetaUserAgentAccountUpnApplication

Operators

letexternaldatawithwherehas_anysummarizeby

Actions

GitHub