Threat Hunt Suspicious User Agents
Query
let ThreatIntelFeed = externaldata(http_user_agent: string)[@"https://raw.githubusercontent.com/mthcht/awesome-lists/main/Lists/suspicious_http_user_agents_list.csv"] with (format="csv", ignoreFirstRecord=True);
let SuspiciousUserAgent = materialize (
ThreatIntelFeed
| distinct http_user_agent
);
DeviceNetworkEvents
| where ActionType == "HttpConnectionInspected"
| extend json = todynamic(AdditionalFields)
| extend direction = tostring(json.direction), method = tostring(json.method), user_agent = tostring(json.user_agent)
| where direction == "Out"
| where user_agent in (SuspiciousUserAgent)Explanation
This query retrieves a list of suspicious HTTP user agents from an external source. It then filters network events to only include those with the action type "HttpConnectionInspected". It converts additional fields to dynamic type and extracts the direction, method, and user agent values. It further filters the events to only include outbound connections and checks if the user agent is in the list of suspicious user agents.
Details

@jbaz_t (User Submission)
Released: October 25, 2023
Tables
DeviceNetworkEvents
Keywords
DevicesIntuneUserThreatIntelFeedSuspiciousUserAgentDeviceNetworkEventsActionTypeHttpConnectionInspectedAdditionalFieldsdirectionmethoduser_agent
Operators
letexternaldatawithformatignoreFirstRecordmaterializedistinctwhereextendtodynamictostringin