Saturday, May 17, 2025

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Kusto Query LanguageMicrosoft SentinelSECURE

List New UserAgent Used Based On SigninLogs

Wayne Andes 2 min read

Description

This KQL query can be used to detect new UserAgents that have been used to perform sign in activities (successful or failed). If you company only uses windows devices it will be interesting to investigate the other UserAgents that have been used.

False positives can be new browser updates that trigger new UserAgents, this can be detected by a lot of entries for a specific agent.

Risk

A malicious actor signs in to your tenant with a user agent that is not user in your environment. It can also be a script that uses (leaked) credentials on your tenant.

Query

Microsoft Sentinel
Kusto
let KnownUserAgents = SigninLogs
  | where TimeGenerated > ago(90d) and TimeGenerated < ago(3d)
  | distinct UserAgent;
SigninLogs
| where TimeGenerated > ago(3d)
| where UserAgent !in (KnownUserAgents)
| project TimeGenerated, UserAgent, ResultType, Identity, UserPrincipalName, IPAddress

You May Also Like

List QR Code URLs in Delivered Inbound Email Messages Detected By by Microsoft Defender XDR

Wayne Andes

List Security Alerts Triggered By Users At Risk

Wayne Andes

Visualize Devices That Initiate The Most Cleartext LDAP Authentications

Wayne Andes

Leave a Reply

Your email address will not be published. Required fields are marked *