List Total Successful Sign-Ins By Browser
Description
This KQL query lists all the different browsers that are used to successfully sign in to your Entra ID Tenant. This could be used to detect rare browsers that are used to sign into your tenant.
Query
Microsoft Defender For Endpoint
Kusto
AADSignInEventsBeta
| where isnotempty(UserAgent)
// Filter for successful sign ins only
| where ErrorCode == 0
| extend ParsedAgent = parse_json(parse_user_agent(UserAgent, "browser"))
| extend Browser = strcat(tostring(ParsedAgent.Browser.Family), " ", tostring(ParsedAgent.Browser.MajorVersion), ".", tostring(ParsedAgent.Browser.MinorVersion))
| summarize Total = count() by Browser
| sort by TotalMicrosoft Sentinel
Kusto
SigninLogs
| where isnotempty(UserAgent)
// Filter for successful sign ins only
| where ResultType == 0
| extend ParsedAgent = parse_json(parse_user_agent(UserAgent, "browser"))
| extend Browser = strcat(tostring(ParsedAgent.Browser.Family), " ", tostring(ParsedAgent.Browser.MajorVersion), ".", tostring(ParsedAgent.Browser.MinorVersion))
| summarize Total = count() by Browser
| sort by Total