Total Succesful Sign-Ins by Browser
Sign Ins By Browser
Query
SigninLogs
| where isnotempty(UserAgent)
// Filter for successful sign ins only
| where ResultType == 0
| extend ParsedAgent = parse_json(parse_user_agent(UserAgent, "browser"))
| extend Browser = strcat(tostring(ParsedAgent.Browser.Family), " ", tostring(ParsedAgent.Browser.MajorVersion), ".", tostring(ParsedAgent.Browser.MinorVersion))
| summarize Total = count() by Browser
| sort by TotalAbout this query
Total Succesful Sign-Ins by Browser
Query Information
Description
This query lists all the different browsers that are used to succesfully sign in to your Entra ID Tenant. This could be used to detect rare browsers that are used to sign into your tenant.
Defender XDR
| where isnotempty(UserAgent)
// Filter for successful sign ins only
| where ErrorCode == 0
| extend ParsedAgent = parse_json(parse_user_agent(UserAgent, "browser"))
| extend Browser = strcat(tostring(ParsedAgent.Browser.Family), " ", tostring(ParsedAgent.Browser.MajorVersion), ".", tostring(ParsedAgent.Browser.MinorVersion))
| summarize Total = count() by Browser
| sort by Total
Sentinel
Explanation
This query is designed to analyze successful sign-ins to an Entra ID Tenant by examining the browsers used during these sign-ins. Here's a simple breakdown of what the query does:
-
Data Source: It looks at sign-in events, specifically focusing on those where the user agent information (which includes browser details) is available.
-
Filter for Success: It filters the data to include only successful sign-ins. This is determined by checking if the error code or result type is zero, indicating no errors occurred during the sign-in process.
-
Parse Browser Information: The query extracts detailed information about the browser used for each sign-in. It parses the user agent string to identify the browser family (e.g., Chrome, Firefox) and its version (major and minor).
-
Count and Summarize: It counts how many times each browser version was used for successful sign-ins.
-
Sort Results: Finally, it sorts the results by the total number of sign-ins for each browser, allowing you to see which browsers are most commonly used.
This analysis can help identify unusual or rare browsers being used to access your tenant, which might be useful for security monitoring or understanding user behavior.
Details

Bert-Jan Pals
Released: October 20, 2024
Tables
Keywords
Operators