KQL Search

Query Details

HomeAI ToolsDevice Query

Entra Id Sign In Events Suspicious User Agent

Query

//This query is the update to https://github.com/jkerai1/KQL-Queries/blob/main/Defender/AADSignInEventsBeta%20-%20Suspicious%20User%20agent.kqlhttps://github.com/jkerai1/KQL-Queries/blob/main/Defender/AADSignInEventsBeta%20-%20Suspicious%20User%20agent.kql
//This query leverages EntraIdSignInEvents (XDR only table) to look for suspicious User agents
let UserAgents = externaldata(UserAgent: string)[@"https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/MDA/BannedUserAgentsList.txt"] with (format="txt", ignoreFirstRecord=False); //I switched to txt after some time so ignore the inconsistency with the screenshot
EntraIdSignInEvents
//| where ErrorCode == 0 //Uncomment if you only want successes
| where UserAgent has_any(UserAgents)
| summarize count() by UserAgent //https://user-agents.net/lookup can be a good reason to lookup strings or https://useragents.io/parse
//| summarize count() by UserAgent,AccountUpn,Application //Uncomment to see users and applications

Explanation

This query is designed to identify suspicious user agents from sign-in events using Microsoft's Entra ID (formerly Azure Active Directory) data. Here's a simple breakdown of what it does:

  1. External Data Source: It starts by loading a list of suspicious user agents from an external text file hosted on GitHub. This list is used to identify potentially malicious or unwanted user agents.

  2. Data Source: The query uses the EntraIdSignInEvents table, which contains sign-in event data. This table is part of Microsoft's Extended Detection and Response (XDR) capabilities.

  3. Filtering: The query checks each sign-in event to see if the UserAgent field matches any of the user agents listed in the external file. If a match is found, it indicates a potentially suspicious sign-in attempt.

  4. Summarization: It summarizes the results by counting the occurrences of each suspicious user agent. This helps in identifying which user agents are most frequently involved in potentially suspicious activities.

  5. Optional Filtering: There are commented-out lines in the query that can be uncommented to:

    • Filter only successful sign-in attempts by checking if the ErrorCode is 0. - Provide more detailed information by summarizing the data with additional fields like AccountUpn (user's principal name) and Application to see which users and applications are associated with these suspicious user agents.

Overall, this query is used to monitor and detect potentially malicious sign-in activities by focusing on the user agents involved in those activities.

Details

Jay Kerai profile picture

Jay Kerai

Released: February 17, 2026

Tables

EntraIdSignInEvents

Keywords

UserAgentsEntraIdSignInEvents

Operators

letexternaldatawithwherehas_anysummarizeby

Actions