KQL Search

This query is designed to analyze user sign-in logs by examining the user agents involved. Here's a simple breakdown of what it does:

1. Combine Data: It starts by combining data from two sources: SigninLogs and AADNonInteractiveUserSignInLogs.

2. Filter Non-Empty User Agents: It filters the combined data to only include entries where the UserAgent field is not empty. This ensures that only records with user agent information are considered.

3. Extract User Agent Details:

   • It uses the parse_user_agent function to analyze the UserAgent string and extract detailed information about the browser.
   • This information is stored in a new column called UserAgentDetail.

4. Extract Specific User Agent Information:

   • It extracts the browser family (e.g., Chrome, Firefox) from the UserAgentDetail and stores it in a new column called UserAgentFamily.
   • It also extracts the major version of the browser and stores it in a column called UserAgentMajorVersion.

5. Commented Out Parts:

   • The line //| where TimeGenerated > ago(30d) is commented out, which means it is not currently filtering the data to only include entries from the last 30 days.
   • The line //| summarize count() by UserAgent is also commented out, which means it is not currently summarizing the data by counting the number of occurrences of each user agent.

In summary, the query processes sign-in logs to extract and organize information about the browsers used during sign-ins, but it does not currently limit the data to the last 30 days or provide a summary count of user agents.