Query Details
Multiple Malformed User Agents
Query
union isfuzzy=true
(AuditLogs
| mv-expand AdditionalDetail = AdditionalDetails
| where AdditionalDetail["key"] == "User-Agent"
| extend UserAgent = tostring(AdditionalDetail["value"])
),
(AWSCloudTrail
| where isnotempty(UserAgent)
),
(AzureDiagnostics
| where Category == "ApplicationGatewayAccessLog" and OperationName == "ApplicationGatewayAccess"
| extend UserAgent = columnifexists("userAgent_s", "")
| where isnotempty(UserAgent)
),
(ContainerLog
| parse-where LogEntry with IPAddress ' - - [' Date '] "' Request '" ' ResponseCode ' ' Bytes ' "' URL '" "' UserAgent '" "' IPAddress2 '"' *
| where not(isempty(UserAgent) or UserAgent == "-")
| extend IPAddress = tostring(split(IPAddress, " ")[-1])
),
(ContainerRegistryLoginEvents
| where isnotempty(UserAgent)
),
(ContainerRegistryRepositoryEvents
| where isnotempty(UserAgent)
),
(MicrosoftGraphActivityLogs
| where isnotempty(UserAgent)
),
(OfficeActivity
| where isnotempty(UserAgent)
),
(OfficeActivity
| where RecordType in ("AzureActiveDirectory", "AzureActiveDirectoryStsLogon")
| parse ExtendedProperties with * 'User-Agent\\":\\"' UserAgent2 '\\' *
| parse ExtendedProperties with * 'UserAgent", "Value": "' UserAgent1 '"' *
| where isnotempty(UserAgent1) or isnotempty(UserAgent2)
| extend UserAgent = iff(RecordType == "AzureActiveDirectoryStsLogon", UserAgent1, UserAgent2)
),
(SigninLogs
| where isnotempty(UserAgent)
),
(AADNonInteractiveUserSignInLogs
| where isnotempty(UserAgent)
),
(ADFSSignInLogs
| where not(isempty(UserAgent) or UserAgent == "-")
),
(StorageBlobLogs
| where isnotempty(UserAgentHeader)
| extend UserAgent = UserAgentHeader
),
(StorageFileLogs
| where isnotempty(UserAgentHeader)
| extend UserAgent = UserAgentHeader
),
(StorageQueueLogs
| where isnotempty(UserAgentHeader)
| extend UserAgent = UserAgentHeader
),
(StorageTableLogs
| where isnotempty(UserAgentHeader)
| extend UserAgent = UserAgentHeader
),
(W3CIISLog
| where isnotempty(csUserAgent)
| extend UserAgent = csUserAgent
)
| summarize take_any(*) by Type, UserAgent
| where UserAgent startswith "User"
or UserAgent startswith @'\"'
or UserAgent startswith '"'
or UserAgent contains "Mozilla" and not(UserAgent contains_cs "Mozilla")
or UserAgent contains_cs "Compatible"
or UserAgent matches regex @"MSIE(\S|.{1,5}?\d\s;)"
Explanation
This query is pulling data from multiple sources, including audit logs, AWS CloudTrail, Azure Diagnostics, container logs, and more. It's specifically looking for entries where the User-Agent field is not empty. The User-Agent field typically contains information about the software being used to access a service, such as the web browser or operating system.
The query is also performing some additional processing on the data. For example, it's splitting the IP address field in the container logs, and it's parsing the ExtendedProperties field in the OfficeActivity logs to extract the User-Agent information.
Once it has gathered all this data, the query is summarizing it by the type of log and the User-Agent. It's then filtering the results to only include entries where the User-Agent starts with "User", starts with a quotation mark, contains the word "Mozilla" (but not in a case-sensitive way), contains the case-sensitive word "Compatible", or matches a specific regular expression pattern related to Internet Explorer.
In simple terms, this query is gathering and summarizing User-Agent information from a wide variety of logs, and then filtering the results based on specific criteria related to the User-Agent.
Details
Jose Sebastián Canós
Released: March 9, 2023
Tables
Keywords
Operators