Saturday, May 17, 2025

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Kusto Query LanguageMicrosoft Defender for EndpointMicrosoft SentinelSECURE

List Sign-ins By UserAgent

Wayne Andes 3 min read

Description

This KQL query can be used to detect rare UserAgents that are used to sign into your tenant. Those rare UserAgents can be used for malicious access into your tenant.

The query can be extended by filtering on successful and failed sign ins.

Query

Microsoft Defender For Endpoint
Kusto
AADSignInEventsBeta
| summarize count() by UserAgent
| sort by count_

Microsoft Sentinel
Kusto
SigninLogs
| summarize count() by UserAgent
| extend x = parse_user_agent(UserAgent, dynamic(["browser","os","device"])) 
| sort by count_

You May Also Like

Visualize Devices That Initiate The Most Cleartext LDAP Authentications

Wayne Andes

List Data Connector Failures In The Last Three Days

Wayne Andes

List Security Alerts Triggered By Users At Risk

Wayne Andes

Leave a Reply

Your email address will not be published. Required fields are marked *