KQL Search

Query Details

HomeAI ToolsDevice Query

Sign Ins By User Agent

Query

# Sign Ins by UserAgent

## Query Information

#### Description
This query can be used to detect rare UserAgents that are used to sign into your tenant. Those rare UserAgents can be used for malicious acces into your tenant.

The query can be extended by filtering on succesful and failed sign ins. 

## Defender For Endpoint
```
AADSignInEventsBeta
| summarize count() by UserAgent
| sort by count_
```

## Sentinel
```
SigninLogs
| summarize count() by UserAgent
| sort by count_
```

Explanation

This query is used to count the number of sign-ins by UserAgent, which helps detect any uncommon UserAgents that may be used for malicious access to your system. The query can be modified to filter for successful or failed sign-ins. In Defender for Endpoint, the query is written as "AADSignInEventsBeta | summarize count() by UserAgent | sort by count_". In Sentinel, the query is written as "SigninLogs | summarize count() by UserAgent | sort by count_".

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: June 7, 2023

Tables

AADSignInEventsBetaSigninLogs

Keywords

UserAgent

Operators

AADSignInEventsBetasummarizecount()byUserAgentsortbycount_ SigninLogssummarizecount()byUserAgentsortbycount_

Actions