Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Identify instances where a single source is observed using multiple user agents ASIM Web Session

RulenameIdentify instances where a single source is observed using multiple user agents (ASIM Web Session)
DescriptionThis detection mechanism identifies requests originating from a single source within a brief time period

that exhibit multiple user agents. Such behavior could indicate unusual web browsing activities performed by unconventional processes
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Uri Session Essentials/Analytic Rules/MultipleUAsFromSingleIP.yaml
Arm template813ccf3b-0321-4622-b0bc-63518fd14454.json
Deploy To Azure
let threshold = 5; // Please update threshold limit as per your environment
_Im_WebSession(starttime=ago(1h), eventresult="Success")
| where isnotempty(HttpUserAgent)
| summarize
    UserAgentList=make_set(HttpUserAgent, 100),
    URL_List = make_set(Url, 100),
    DestinationIPList = make_set(DstIpAddr, 100)
    by SrcIpAddr, SrcUsername, SrcHostname, bin(TimeGenerated, 5min)
| extend UserAgentCount = array_length(UserAgentList)
| where UserAgentCount > threshold
| extend Name = iif(SrcUsername contains "@", tostring(split(SrcUsername,'@',0)[0]),SrcUsername), UPNSuffix = iif(SrcUsername contains "@",tostring(split(SrcUsername,'@',1)[0]),""), Threshold=threshold
  URLs: URL_List
  UserAgentCount: UserAgentCount
  UserAgentThreshold: Threshold
  UserAgentArray: UserAgentList
  DestinationIPList: DestinationIPList
triggerOperator: gt
queryFrequency: 1h
description: |
  'This detection mechanism identifies requests originating from a single source within a brief time period
    that exhibit multiple user agents. Such behavior could indicate unusual web browsing activities performed by unconventional processes'  
  alertDescriptionFormat: "The system has detected high User Agent count of '{{UserAgentCount}}' originating from '{{SrcUsername}}'. Further investigation is necessary to determine the reason behind the detection of multiple user agents associated with the SrcIpAddr in this incident. User Agent list include: '{{UserAgentList}}'"
  alertDisplayNameFormat: User '{{SrcUsername}}' with IP '{{SrcIpAddr}}' has been observed using high number of User Agents within short timeframe
status: Available
kind: Scheduled
triggerThreshold: 0
requiredDataConnectors: []
version: 1.0.0
  aggregationKind: AlertPerResult
queryPeriod: 1h
name: Identify instances where a single source is observed using multiple user agents (ASIM Web Session)
OriginalUri: Session Essentials/Analytic Rules/MultipleUAsFromSingleIP.yaml
id: 813ccf3b-0321-4622-b0bc-63518fd14454
- Schema: WebSession
  SchemaVersion: 0.2.6
- InitialAccess
- CredentialAccess
- T1190
- T1133
- T1528
severity: Medium
- fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
  entityType: IP
- fieldMappings:
  - identifier: HostName
    columnName: SrcHostname
  entityType: Host
- fieldMappings:
  - identifier: Name
    columnName: Name
  - identifier: UPNSuffix
    columnName: UPNSuffix
  entityType: Account
query: |
  let threshold = 5; // Please update threshold limit as per your environment
  _Im_WebSession(starttime=ago(1h), eventresult="Success")
  | where isnotempty(HttpUserAgent)
  | summarize
      UserAgentList=make_set(HttpUserAgent, 100),
      URL_List = make_set(Url, 100),
      DestinationIPList = make_set(DstIpAddr, 100)
      by SrcIpAddr, SrcUsername, SrcHostname, bin(TimeGenerated, 5min)
  | extend UserAgentCount = array_length(UserAgentList)
  | where UserAgentCount > threshold
  | extend Name = iif(SrcUsername contains "@", tostring(split(SrcUsername,'@',0)[0]),SrcUsername), UPNSuffix = iif(SrcUsername contains "@",tostring(split(SrcUsername,'@',1)[0]),""), Threshold=threshold  
  "$schema": "",
  "contentVersion": "",
  "parameters": {
    "workspace": {
      "type": "String"
  "resources": [
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/813ccf3b-0321-4622-b0bc-63518fd14454')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/813ccf3b-0321-4622-b0bc-63518fd14454')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "The system has detected high User Agent count of '{{UserAgentCount}}' originating from '{{SrcUsername}}'. Further investigation is necessary to determine the reason behind the detection of multiple user agents associated with the SrcIpAddr in this incident. User Agent list include: '{{UserAgentList}}'",
          "alertDisplayNameFormat": "User '{{SrcUsername}}' with IP '{{SrcIpAddr}}' has been observed using high number of User Agents within short timeframe"
        "alertRuleTemplateName": "813ccf3b-0321-4622-b0bc-63518fd14454",
        "customDetails": {
          "DestinationIPList": "DestinationIPList",
          "URLs": "URL_List",
          "UserAgentArray": "UserAgentList",
          "UserAgentCount": "UserAgentCount",
          "UserAgentThreshold": "Threshold"
        "description": "'This detection mechanism identifies requests originating from a single source within a brief time period\n  that exhibit multiple user agents. Such behavior could indicate unusual web browsing activities performed by unconventional processes'\n",
        "displayName": "Identify instances where a single source is observed using multiple user agents (ASIM Web Session)",
        "enabled": true,
        "entityMappings": [
            "entityType": "IP",
            "fieldMappings": [
                "columnName": "SrcIpAddr",
                "identifier": "Address"
            "entityType": "Host",
            "fieldMappings": [
                "columnName": "SrcHostname",
                "identifier": "HostName"
            "entityType": "Account",
            "fieldMappings": [
                "columnName": "Name",
                "identifier": "Name"
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        "OriginalUri": " Session Essentials/Analytic Rules/MultipleUAsFromSingleIP.yaml",
        "query": "let threshold = 5; // Please update threshold limit as per your environment\n_Im_WebSession(starttime=ago(1h), eventresult=\"Success\")\n| where isnotempty(HttpUserAgent)\n| summarize\n    EventCount=count(),\n    UserAgentList=make_set(HttpUserAgent, 100),\n    URL_List = make_set(Url, 100),\n    DestinationIPList = make_set(DstIpAddr, 100)\n    by SrcIpAddr, SrcUsername, SrcHostname, bin(TimeGenerated, 5min)\n| extend UserAgentCount = array_length(UserAgentList)\n| where UserAgentCount > threshold\n| extend Name = iif(SrcUsername contains \"@\", tostring(split(SrcUsername,'@',0)[0]),SrcUsername), UPNSuffix = iif(SrcUsername contains \"@\",tostring(split(SrcUsername,'@',1)[0]),\"\"), Threshold=threshold\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
        "tags": [
            "Schema": "WebSession",
            "SchemaVersion": "0.2.6"
        "techniques": [
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"