Query Details
Sign Ins By OS
Query
# Total Sign In actions by Operating System
## Query Information
#### Description
This query can be used to detect rare operating systems that are used to sign into your tenant. For example your company only has Windows company devices and you have sign ins with MacOS, those can ben intersting to investigate.
The query can be extended by filtering on failed or succesful sign ins.
## Defender For Endpoint
```
AADSignInEventsBeta
| summarize count() by OSPlatform
| sort by count_
```
## Sentinel
```
SigninLogs
| extend
Browser = tostring(parse_json(DeviceDetail).browser),
OS = tostring(parse_json(DeviceDetail).operatingSystem)
| summarize count() by OS
| sort by count_
```
Explanation
The query is used to count the total number of sign-in actions by operating system. It can be used to identify any rare operating systems that are used to sign into the tenant. The query can be further customized to filter for successful or failed sign-ins.
For Defender for Endpoint:
- The query uses the AADSignInEventsBeta table.
- It summarizes the count of sign-ins by OSPlatform.
- The results are sorted by the count in ascending order.
For Sentinel:
- The query uses the SigninLogs table.
- It extends the query to include the browser and operating system information from the DeviceDetail field.
- It summarizes the count of sign-ins by operating system.
- The results are sorted by the count in ascending order.
Details
Bert-Jan Pals
Released: June 7, 2023
Tables
AADSignInEventsBetaSigninLogs
Keywords
Devices,Intune,User
Operators
summarizecount()bysortextendtostringparse_json