← Back to Explore
kqlHunting
Parsed User Agent
| where TimeGenerated > ago(30d)
Detection Query
union SigninLogs,AADNonInteractiveUserSignInLogs
//| where TimeGenerated > ago(30d)
| where isnotempty(UserAgent)
| extend UserAgentDetail = todynamic(parse_user_agent(UserAgent, "browser"))
| extend UserAgentFamily = tostring(parse_json(tostring(UserAgentDetail.Browser)).Family)
| extend UserAgentMajorVersion = toint(parse_json(tostring(UserAgentDetail.Browser)).MajorVersion)
//| summarize count() by UserAgentData Sources
SigninLogs
Platforms
azure-ad
Tags
entra
Raw Content
union SigninLogs,AADNonInteractiveUserSignInLogs
//| where TimeGenerated > ago(30d)
| where isnotempty(UserAgent)
| extend UserAgentDetail = todynamic(parse_user_agent(UserAgent, "browser"))
| extend UserAgentFamily = tostring(parse_json(tostring(UserAgentDetail.Browser)).Family)
| extend UserAgentMajorVersion = toint(parse_json(tostring(UserAgentDetail.Browser)).MajorVersion)
//| summarize count() by UserAgent