Query Details
Identity Parse User Agent
Query
//Parses the user agent into its various components to allow hunting on specific browser versions or patch levels
//Data connector required for this query - Azure Active Directory - Signin Logs
SigninLogs
| extend UserAgentDetail = todynamic(parse_user_agent(UserAgent, "browser"))
| extend UserAgentFamily = tostring(parse_json(tostring(UserAgentDetail.Browser)).Family)
| extend UserAgentMajorVersion = toint(parse_json(tostring(UserAgentDetail.Browser)).MajorVersion)
| extend UserAgentMinorVersion = toint(parse_json(tostring(UserAgentDetail.Browser)).MinorVersion)
| extend UserAgentPatch = toint(parse_json(tostring(UserAgentDetail.Browser)).Patch)
| project
TimeGenerated,
UserPrincipalName,
AppDisplayName,
ResultType,
IPAddress,
Location,
UserAgentFamily,
UserAgentMajorVersion,
UserAgentMinorVersion,
UserAgentPatch,
UserAgentExplanation
This query extracts information from the user agent field in Azure Active Directory Signin Logs. It parses the user agent into its various components such as browser family, major version, minor version, and patch level. The query then projects the relevant fields including time generated, user principal name, app display name, result type, IP address, location, browser family, major version, minor version, patch level, and the original user agent.
Details
Matt Zorich
Released: June 17, 2022
Tables
SigninLogs
Keywords
Devices,Intune,User
Operators
extendtodynamicparse_user_agentUserAgent"browser"tostringparse_jsonUserAgentDetail.BrowserFamilyMajorVersionMinorVersionPatchprojectTimeGeneratedUserPrincipalNameAppDisplayNameResultTypeIPAddressLocationUserAgentFamilyUserAgentMajorVersionUserAgentMinorVersionUserAgentPatchUserAgent.