New User Agent Used

# New UserAgent used ## Query Information #### Description This query can be used to detect new UserAgents that have been used to perform sign in activities (succesful or failed). If you company only uses windows devices it will be interesting to investigate the other UserAgents that have been used. False positives can be new browser updates that trigger new UserAgents, this will can be detected by a lot of entries for a specific agent. #### Risk A malicious actor signs in to your tenant with a user agent that is not user in your environment. It can also be a script that uses (leaked) credentials on your tentant. ## Defender For Endpoint ``` let KnownUserAgents = AADSignInEventsBeta | where Timestamp > ago(30d) and Timestamp < ago(3d) | distinct UserAgent; AADSignInEventsBeta | where Timestamp > ago(3d) | where UserAgent !in (KnownUserAgents) | project Timestamp, UserAgent, ErrorCode, AccountObjectId,AccountDisplayName, IPAddress ``` ## Sentinel ``` let KnownUserAgents = SigninLogs | where TimeGenerated > ago(90d) and TimeGenerated < ago(3d) | distinct UserAgent; SigninLogs | where TimeGenerated > ago(3d) | where UserAgent !in (KnownUserAgents) | project TimeGenerated, UserAgent, ResultType, Identity, UserPrincipalName, IPAddress ```

Explanation

The query is used to detect new UserAgents that have been used for sign-in activities. It helps identify any UserAgents that are not commonly used in the company's environment, which could indicate a malicious actor or unauthorized script using leaked credentials. The query compares the UserAgent values from recent sign-in events with a list of known UserAgents. If a UserAgent is not found in the known list, it is considered new and included in the query results. The results include the timestamp, UserAgent, error code (for Defender For Endpoint), account object ID, account display name, and IP address.

KQL Search

Query

Explanation

Details

Actions