Entra Id Sign In Events Suspicious User Agent
Query
//This query is the update to https://github.com/jkerai1/KQL-Queries/blob/main/Defender/AADSignInEventsBeta%20-%20Suspicious%20User%20agent.kqlhttps://github.com/jkerai1/KQL-Queries/blob/main/Defender/AADSignInEventsBeta%20-%20Suspicious%20User%20agent.kql
//This query leverages EntraIdSignInEvents (XDR only table) to look for suspicious User agents
let UserAgents = externaldata(UserAgent: string)[@"https://raw.githubusercontent.com/jkerai1/SoftwareCertificates/refs/heads/main/Bulk-IOC-CSVs/MDA/BannedUserAgentsList.txt"] with (format="txt", ignoreFirstRecord=False); //I switched to txt after some time so ignore the inconsistency with the screenshot
EntraIdSignInEvents
//| where ErrorCode == 0 //Uncomment if you only want successes
| where UserAgent has_any(UserAgents)
| summarize count() by UserAgent //https://user-agents.net/lookup can be a good reason to lookup strings or https://useragents.io/parse
//| summarize count() by UserAgent,AccountUpn,Application //Uncomment to see users and applicationsExplanation
This query is designed to identify suspicious user agents from sign-in events using Microsoft's Entra ID (formerly Azure Active Directory) data. Here's a simple breakdown of what it does:
-
External Data Source: It starts by loading a list of suspicious user agents from an external text file hosted on GitHub. This list is used to identify potentially malicious or unwanted user agents.
-
Data Source: The query uses the
EntraIdSignInEventstable, which contains sign-in event data. This table is part of Microsoft's Extended Detection and Response (XDR) capabilities. -
Filtering: The query checks each sign-in event to see if the
UserAgentfield matches any of the user agents listed in the external file. If a match is found, it indicates a potentially suspicious sign-in attempt. -
Summarization: It summarizes the results by counting the occurrences of each suspicious user agent. This helps in identifying which user agents are most frequently involved in potentially suspicious activities.
-
Optional Filtering: There are commented-out lines in the query that can be uncommented to:
- Filter only successful sign-in attempts by checking if the
ErrorCodeis 0. - Provide more detailed information by summarizing the data with additional fields likeAccountUpn(user's principal name) andApplicationto see which users and applications are associated with these suspicious user agents.
- Filter only successful sign-in attempts by checking if the
Overall, this query is used to monitor and detect potentially malicious sign-in activities by focusing on the user agents involved in those activities.
Details

Jay Kerai
Released: February 17, 2026
Tables
Keywords
Operators