Detection Of High Risk Sign Ins From New Or Uncommon I Ps With User Agent Or OS Changes
Query
let ExcludedApps = dynamic(["app-ext-jamfconnect-p"]); // Exclude some Apps
let EnterpriseIPRange = "147.86.0.0/16"; // Define your internal network range here
let ExcludedCountries = dynamic(["Switzerland","Wonderland"]);
let ExcludedOS = dynamic(["Android", "Ios"]);
let LookbackStart = ago(30d);
// Historical Profile: Establish a baseline of "normal" behavior for each user
let UserHistory = SigninLogs
| where TimeGenerated >= LookbackStart and TimeGenerated < ago(1d)
| where ResultType == 0
| summarize
KnownIPs = make_set(IPAddress),
KnownAgents = make_set(UserAgent),
KnownOS = make_set(tostring(DeviceDetail.operatingSystem))
by UserPrincipalName;
// Current Activity: Analyze recent sign-ins with exclusion filters applied
BehaviorAnalytics
| where TimeGenerated > ago(1d)
| where InvestigationPriority >= 3
| where not(ipv4_is_in_range(SourceIPAddress, EnterpriseIPRange))
| project Timestamp=TimeGenerated, UserPrincipalName, SourceIPAddress, InvestigationPriority
| join kind=inner (
SigninLogs
| where TimeGenerated > ago(1d)
| where ResultType == 0
| where UserType != "Guest"
| where AppDisplayName !in (ExcludedApps) // Filter out known management or system applications
| where DeviceDetail.isManaged == "false" // Focus on unmanaged/BYOD devices
| where not(tostring(DeviceDetail.operatingSystem) has_any (ExcludedOS))
| project TimeGenerated, UserPrincipalName, IPAddress, UserAgent,
OS = tostring(DeviceDetail.operatingSystem), AppDisplayName
) on UserPrincipalName
| join kind=leftouter UserHistory on UserPrincipalName
// Check if the current activity matches the historical baseline
| extend IsNewIP = iff(set_has_element(KnownIPs, IPAddress), false, true)
| extend IsNewAgent = iff(set_has_element(KnownAgents, UserAgent), false, true)
| extend IsNewOS = iff(set_has_element(KnownOS, OS), false, true)
// Filter: Identify sign-ins from a new IP combined with unknown technical signatures (Agent/OS)
| where IsNewIP == true and (IsNewAgent == true or IsNewOS == true)
| extend IpInfo = geo_info_from_ip_address(SourceIPAddress)
| extend Country = tostring(IpInfo.country)
| where Country !in (ExcludedCountries) // Exclude sign-ins from defined Countries
| summarize arg_max(TimeGenerated, *) by UserPrincipalNameAbout this query
Detection of High-Risk Sign-ins from New or Uncommon IPs with User Agent or OS Changes
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1078 | Valid Accounts | https://attack.mitre.org/techniques/T1078 |
Description
This query identifies users exhibiting unusual authentication behavior by combining Behavior Analytics with recent sign-in activity. It highlights high‑risk sign-ins originating from previously unseen IP addresses where the user agent or operating system has changed compared to historical patterns. The query enriches findings with historical sign-in context and Identity Info to support investigation of potentially compromised accounts.
Author <Optional>
- Name: Benjamin Zulliger
- Github: https://github.com/benscha/KQLAdvancedHunting
- LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/
Defender XDR
Explanation
This query is designed to detect potentially risky sign-ins by identifying unusual authentication behaviors. Here's a simplified breakdown:
-
Purpose: The query aims to find high-risk sign-ins that come from new or uncommon IP addresses, especially when there's a change in the user agent (like a web browser) or operating system compared to what is typically seen for that user.
-
Baseline Creation: It first establishes a baseline of normal behavior for each user by looking at their sign-in history over the past 30 days. This includes known IP addresses, user agents, and operating systems.
-
Current Activity Analysis: It then examines recent sign-ins (from the last day) to identify those with a high investigation priority. It filters out sign-ins from the internal network, known management apps, and managed devices, focusing on unmanaged or personal devices.
-
Comparison and Filtering: The query compares recent sign-ins against the established baseline to check for new IP addresses and changes in user agents or operating systems. It excludes sign-ins from certain countries and specific operating systems.
-
Result: The query highlights sign-ins that come from new IP addresses and have either a new user agent or operating system, indicating potentially suspicious activity. It provides the most recent suspicious sign-in for each user for further investigation.
Overall, this query helps in identifying potentially compromised accounts by flagging unusual sign-in patterns that deviate from a user's typical behavior.
Details

Benjamin Zulliger
Released: April 2, 2026
Tables
Keywords
Operators
MITRE Techniques