KQL Search

Query Details

Sign Ins By Browser

Query

# Total Succesful Sign-Ins by Browser

## Query Information

#### Description
This query lists all the different browsers that are used to succesfully sign in to your Entra ID Tenant. This could be used to detect rare browsers that are used to sign into your tenant.


## Defender For Endpoint
```
AADSignInEventsBeta
| where isnotempty(UserAgent)
// Filter for successful sign ins only
| where ErrorCode == 0
| extend ParsedAgent = parse_json(parse_user_agent(UserAgent, "browser"))
| extend Browser = strcat(tostring(ParsedAgent.Browser.Family), " ", tostring(ParsedAgent.Browser.MajorVersion), ".", tostring(ParsedAgent.Browser.MinorVersion))
| summarize Total = count() by Browser
| sort by Total
```

## Sentinel
```KQL
SigninLogs
| where isnotempty(UserAgent)
// Filter for successful sign ins only
| where ResultType == 0
| extend ParsedAgent = parse_json(parse_user_agent(UserAgent, "browser"))
| extend Browser = strcat(tostring(ParsedAgent.Browser.Family), " ", tostring(ParsedAgent.Browser.MajorVersion), ".", tostring(ParsedAgent.Browser.MinorVersion))
| summarize Total = count() by Browser
| sort by Total
```

Explanation

This query retrieves the total number of successful sign-ins categorized by different browsers used. It filters for successful sign-ins only and extracts the browser information from the UserAgent field. The query then counts the occurrences of each browser and sorts the results by the total count.

Details

Bert-Jan Pals

Released: November 16, 2023

Tables

AADSignInEventsBetaSigninLogs

Keywords

Devices,Intune,User

Operators

whereisnotemptyErrorCodeextendparse_jsonparse_user_agentstrcattostringsummarizecountsort

KQL Search

Sign Ins By Browser

Query

Explanation

Details

Actions