Query Details

Detection Of High Risk Sign Ins From New Or Uncommon I Ps With User Agent Or OS Changes

Query

let ExcludedApps = dynamic(["app-ext-jamfconnect-p"]); // Exclude some Apps
let EnterpriseIPRange = "147.86.0.0/16"; // Define your internal network range here
let ExcludedCountries = dynamic(["Switzerland","Wonderland"]);
let ExcludedOS = dynamic(["Android", "Ios"]);
let LookbackStart = ago(30d);
// Historical Profile: Establish a baseline of "normal" behavior for each user
let UserHistory = SigninLogs
| where TimeGenerated >= LookbackStart and TimeGenerated < ago(1d)
| where ResultType == 0
| summarize 
    KnownIPs = make_set(IPAddress), 
    KnownAgents = make_set(UserAgent),
    KnownOS = make_set(tostring(DeviceDetail.operatingSystem))
    by UserPrincipalName;
// Current Activity: Analyze recent sign-ins with exclusion filters applied
BehaviorAnalytics
| where TimeGenerated > ago(1d)
| where InvestigationPriority >= 3
| where not(ipv4_is_in_range(SourceIPAddress, EnterpriseIPRange))
| project Timestamp=TimeGenerated, UserPrincipalName, SourceIPAddress, InvestigationPriority
| join kind=inner (
    SigninLogs
    | where TimeGenerated > ago(1d)
    | where ResultType == 0 
    | where UserType != "Guest"
    | where AppDisplayName !in (ExcludedApps) // Filter out known management or system applications
    | where DeviceDetail.isManaged == "false" // Focus on unmanaged/BYOD devices
    | where not(tostring(DeviceDetail.operatingSystem) has_any (ExcludedOS))
    | project TimeGenerated, UserPrincipalName, IPAddress, UserAgent, 
              OS = tostring(DeviceDetail.operatingSystem), AppDisplayName
) on UserPrincipalName
| join kind=leftouter UserHistory on UserPrincipalName
// Check if the current activity matches the historical baseline
| extend IsNewIP = iff(set_has_element(KnownIPs, IPAddress), false, true)
| extend IsNewAgent = iff(set_has_element(KnownAgents, UserAgent), false, true)
| extend IsNewOS = iff(set_has_element(KnownOS, OS), false, true)
// Filter: Identify sign-ins from a new IP combined with unknown technical signatures (Agent/OS)
| where IsNewIP == true and (IsNewAgent == true or IsNewOS == true)
| extend IpInfo = geo_info_from_ip_address(SourceIPAddress)
| extend Country = tostring(IpInfo.country)
| where Country !in (ExcludedCountries) // Exclude sign-ins from defined Countries
| summarize arg_max(TimeGenerated, *) by UserPrincipalName

About this query

Detection of High-Risk Sign-ins from New or Uncommon IPs with User Agent or OS Changes

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1078Valid Accountshttps://attack.mitre.org/techniques/T1078

Description

This query identifies users exhibiting unusual authentication behavior by combining Behavior Analytics with recent sign-in activity. It highlights high‑risk sign-ins originating from previously unseen IP addresses where the user agent or operating system has changed compared to historical patterns. The query enriches findings with historical sign-in context and Identity Info to support investigation of potentially compromised accounts.

Author <Optional>

Defender XDR

Explanation

This query is designed to detect potentially risky sign-ins by identifying unusual authentication behaviors. Here's a simplified breakdown:

  1. Purpose: The query aims to find high-risk sign-ins that come from new or uncommon IP addresses, especially when there's a change in the user agent (like a web browser) or operating system compared to what is typically seen for that user.

  2. Baseline Creation: It first establishes a baseline of normal behavior for each user by looking at their sign-in history over the past 30 days. This includes known IP addresses, user agents, and operating systems.

  3. Current Activity Analysis: It then examines recent sign-ins (from the last day) to identify those with a high investigation priority. It filters out sign-ins from the internal network, known management apps, and managed devices, focusing on unmanaged or personal devices.

  4. Comparison and Filtering: The query compares recent sign-ins against the established baseline to check for new IP addresses and changes in user agents or operating systems. It excludes sign-ins from certain countries and specific operating systems.

  5. Result: The query highlights sign-ins that come from new IP addresses and have either a new user agent or operating system, indicating potentially suspicious activity. It provides the most recent suspicious sign-in for each user for further investigation.

Overall, this query helps in identifying potentially compromised accounts by flagging unusual sign-in patterns that deviate from a user's typical behavior.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: April 2, 2026

Tables

SigninLogsBehaviorAnalytics

Keywords

DetectionSigninsIPsUserAgentOSBehaviorAnalyticsSigninActivityAccountsIdentityInfoInvestigationAppsNetworkRangeCountriesProfileLogsIPAddressUserAgentDeviceDetailUserPrincipalNamePriorityUserTypeAppDisplayNameIPIpInfoCountry

Operators

letdynamicagowheresummarizemake_settostringprojectjoinkind=innerkind=leftouterextendiffset_has_elementgeo_info_from_ip_addressarg_max

MITRE Techniques

Actions

GitHub