Query Details

Successful Signin From Suspicious User Agent

Query

let SuspiciousUserAgents = externaldata(http_user_agent:string,metadata_description:string,metadata_tool:string,metadata_category:string,metadata_link:string,metadata_priority:string,metadata_fp_risk:string,metadata_severity:string,metadata_usage:string,metadata_flow_from_external:string,metadata_flow_from_internal:string,metadata_flow_to_internal:string,metadata_flow_to_external:string,metadata_for_successful_external_login_events:string,metadata_comment:string)["https://raw.githubusercontent.com/mthcht/awesome-lists/refs/heads/main/Lists/suspicious_http_user_agents_list.csv"] with (format="csv", ignoreFirstRecord=true);
let UserAgentsOfInterest = SuspiciousUserAgents
| where metadata_category in~ ("Credential Access",
    "Phishing",
    "phishing",
    "Reconnaissance",
    "Exploit",
    "Exploitation",
    "Exploitation tool",
    "Defense Evasion",
    "POST Exploitation",
    "Bots & Vulnerability Scanner",
    "uncommun user agent")
| extend StandardizedUserAgent = replace_string(http_user_agent, "*", "")
| distinct StandardizedUserAgent;
EntraIdSignInEvents
| where ErrorCode == 0
| where UserAgent has_any (UserAgentsOfInterest)
| project-reorder Timestamp, AccountUpn, LogonType, UserAgent, ErrorCode, SessionId

About this query

Explanation

This query is designed to detect potentially suspicious sign-ins to Azure AD (Entra ID) by identifying successful logins that use unusual or known malicious user agent strings. Here's a simplified breakdown:

  1. Purpose: The query aims to identify successful sign-ins where the user agent string matches a list of suspicious or tool-based user agents. These user agents are often associated with scripts, automation tools, or offensive security tools that attackers might use.

  2. Data Source: It uses an external CSV file containing a list of suspicious user agent strings. This list includes user agents related to activities like credential access, phishing, reconnaissance, exploitation, and other malicious actions.

  3. Process:

    • The query first loads the list of suspicious user agents from an external CSV file.
    • It filters this list to focus on user agents associated with specific malicious activities.
    • It then checks the Azure AD sign-in logs for successful sign-ins (where the error code or result type is 0) that match any of these suspicious user agents.
  4. Output: The query outputs details of these sign-in events, including the timestamp, user account name, type of logon, user agent string, and session ID. This information can help security teams investigate potential unauthorized access or abuse of accounts.

  5. Risk: Successful sign-ins with these suspicious user agents could indicate that an attacker is using automated tools to perform reconnaissance or abuse compromised accounts, potentially leading to further exploitation.

Overall, this query helps in identifying and investigating potentially malicious activities targeting Azure AD accounts by focusing on unusual user agent strings during successful sign-ins.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: March 23, 2026

Tables

EntraIdSignInEventsSigninLogs

Keywords

AzureADEntraIDUserAgentSign-InAccountCredentialAccessPhishingReconnaissanceExploitExploitationDefenseEvasionBotsVulnerabilityScanner

Operators

letexternaldatawithformatignoreFirstRecordin~extendreplace_stringdistinctwherehas_anyproject-reorder

MITRE Techniques

Actions

GitHub