New User Agent Used
Query
let KnownUserAgents = AADSignInEventsBeta
| where Timestamp > ago(30d) and Timestamp < ago(3d)
| distinct UserAgent;
AADSignInEventsBeta
| where Timestamp > ago(3d)
| where UserAgent !in (KnownUserAgents)
| project Timestamp, UserAgent, ErrorCode, AccountObjectId,AccountDisplayName, IPAddressAbout this query
New UserAgent used
Query Information
Description
This query can be used to detect new UserAgents that have been used to perform sign in activities (succesful or failed). If you company only uses windows devices it will be interesting to investigate the other UserAgents that have been used.
False positives can be new browser updates that trigger new UserAgents, this will can be detected by a lot of entries for a specific agent.
Risk
A malicious actor signs in to your tenant with a user agent that is not user in your environment. It can also be a script that uses (leaked) credentials on your tentant.
Defender XDR
Sentinel
let KnownUserAgents = SigninLogs
| where TimeGenerated > ago(90d) and TimeGenerated < ago(3d)
| distinct UserAgent;
SigninLogs
| where TimeGenerated > ago(3d)
| where UserAgent !in (KnownUserAgents)
| project TimeGenerated, UserAgent, ResultType, Identity, UserPrincipalName, IPAddress
Explanation
This query is designed to identify new UserAgents that have been used for sign-in activities, whether successful or failed, within a specific time frame. It is particularly useful for organizations that primarily use Windows devices, as it helps to spot unusual UserAgents that might indicate unauthorized access or script-based attacks using leaked credentials.
Here's a simplified breakdown of how the query works:
-
Identify Known UserAgents:
- The query first looks at sign-in events from a past period (either the last 30 days for Defender XDR or the last 90 days for Sentinel) but excludes the most recent 3 days.
- It collects a list of distinct UserAgents that have been used during this period.
-
Detect New UserAgents:
- It then examines sign-in events from the most recent 3 days.
- It filters out any UserAgents that were already identified in the previous step, focusing only on new or previously unseen UserAgents.
-
Output Relevant Information:
- For these new UserAgents, the query outputs details such as the timestamp of the sign-in attempt, the UserAgent string, error codes (if any), account information, and IP addresses.
This approach helps in detecting potentially suspicious activities by highlighting UserAgents that are not typically used in the environment. However, it also notes that false positives can occur due to legitimate changes, such as browser updates that introduce new UserAgents.
Details

Bert-Jan Pals
Released: October 20, 2024
Tables
Keywords
Operators