Successful Signin From Suspicious User Agent
Query
let SuspiciousUserAgents = externaldata(http_user_agent:string,metadata_description:string,metadata_tool:string,metadata_category:string,metadata_link:string,metadata_priority:string,metadata_fp_risk:string,metadata_severity:string,metadata_usage:string,metadata_flow_from_external:string,metadata_flow_from_internal:string,metadata_flow_to_internal:string,metadata_flow_to_external:string,metadata_for_successful_external_login_events:string,metadata_comment:string)["https://raw.githubusercontent.com/mthcht/awesome-lists/refs/heads/main/Lists/suspicious_http_user_agents_list.csv"] with (format="csv", ignoreFirstRecord=true);
let UserAgentsOfInterest = SuspiciousUserAgents
| where metadata_category in~ ("Credential Access",
"Phishing",
"phishing",
"Reconnaissance",
"Exploit",
"Exploitation",
"Exploitation tool",
"Defense Evasion",
"POST Exploitation",
"Bots & Vulnerability Scanner",
"uncommun user agent")
| extend StandardizedUserAgent = replace_string(http_user_agent, "*", "")
| distinct StandardizedUserAgent;
EntraIdSignInEvents
| where ErrorCode == 0
| where UserAgent has_any (UserAgentsOfInterest)
| project-reorder Timestamp, AccountUpn, LogonType, UserAgent, ErrorCode, SessionIdAbout this query
Explanation
This query is designed to detect potentially suspicious sign-ins to Azure AD (Entra ID) by identifying successful logins that use unusual or known malicious user agent strings. Here's a simplified breakdown:
-
Purpose: The query aims to identify successful sign-ins where the user agent string matches a list of suspicious or tool-based user agents. These user agents are often associated with scripts, automation tools, or offensive security tools that attackers might use.
-
Data Source: It uses an external CSV file containing a list of suspicious user agent strings. This list includes user agents related to activities like credential access, phishing, reconnaissance, exploitation, and other malicious actions.
-
Process:
- The query first loads the list of suspicious user agents from an external CSV file.
- It filters this list to focus on user agents associated with specific malicious activities.
- It then checks the Azure AD sign-in logs for successful sign-ins (where the error code or result type is 0) that match any of these suspicious user agents.
-
Output: The query outputs details of these sign-in events, including the timestamp, user account name, type of logon, user agent string, and session ID. This information can help security teams investigate potential unauthorized access or abuse of accounts.
-
Risk: Successful sign-ins with these suspicious user agents could indicate that an attacker is using automated tools to perform reconnaissance or abuse compromised accounts, potentially leading to further exploitation.
Overall, this query helps in identifying and investigating potentially malicious activities targeting Azure AD accounts by focusing on unusual user agent strings during successful sign-ins.
Details

Bert-Jan Pals
Released: March 23, 2026
Tables
Keywords
Operators
MITRE Techniques