Identify instances where a single source is observed using multiple user agents ASIM Web Session

let threshold = 5; // Please update threshold limit as per your environment
_Im_WebSession(starttime=ago(1h), eventresult="Success")
| where isnotempty(HttpUserAgent)
| summarize
    EventCount=count(),
    UserAgentList=make_set(HttpUserAgent, 100),
    URL_List = make_set(Url, 100),
    DestinationIPList = make_set(DstIpAddr, 100)
    by SrcIpAddr, SrcUsername, SrcHostname, bin(TimeGenerated, 5min)
| extend UserAgentCount = array_length(UserAgentList)
| where UserAgentCount > threshold
| extend Name = iif(SrcUsername contains "@", tostring(split(SrcUsername,'@',0)[0]),SrcUsername), UPNSuffix = iif(SrcUsername contains "@",tostring(split(SrcUsername,'@',1)[0]),""), Threshold=threshold

alertDetailsOverride:
  alertDescriptionFormat: "The system has detected high User Agent count of '{{UserAgentCount}}' originating from '{{SrcUsername}}'. Further investigation is necessary to determine the reason behind the detection of multiple user agents associated with the SrcIpAddr in this incident. User Agent list include: '{{UserAgentList}}'"
  alertDisplayNameFormat: User '{{SrcUsername}}' with IP '{{SrcIpAddr}}' has been observed using high number of User Agents within short timeframe
description: |
    'This detection mechanism identifies requests originating from a single source within a brief time period that exhibit multiple user agents. Such behavior could indicate unusual web browsing activities performed by unconventional processes'
kind: Scheduled
tactics:
- InitialAccess
- CredentialAccess
requiredDataConnectors: []
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web Session Essentials/Analytic Rules/MultipleUAsFromSingleIP.yaml
severity: Medium
name: Identify instances where a single source is observed using multiple user agents (ASIM Web Session)
customDetails:
  UserAgentCount: UserAgentCount
  UserAgentArray: UserAgentList
  UserAgentThreshold: Threshold
  URLs: URL_List
  DestinationIPList: DestinationIPList
triggerThreshold: 0
queryPeriod: 1h
query: |
  let threshold = 5; // Please update threshold limit as per your environment
  _Im_WebSession(starttime=ago(1h), eventresult="Success")
  | where isnotempty(HttpUserAgent)
  | summarize
      EventCount=count(),
      UserAgentList=make_set(HttpUserAgent, 100),
      URL_List = make_set(Url, 100),
      DestinationIPList = make_set(DstIpAddr, 100)
      by SrcIpAddr, SrcUsername, SrcHostname, bin(TimeGenerated, 5min)
  | extend UserAgentCount = array_length(UserAgentList)
  | where UserAgentCount > threshold
  | extend Name = iif(SrcUsername contains "@", tostring(split(SrcUsername,'@',0)[0]),SrcUsername), UPNSuffix = iif(SrcUsername contains "@",tostring(split(SrcUsername,'@',1)[0]),""), Threshold=threshold  
relevantTechniques:
- T1190
- T1133
- T1528
id: 813ccf3b-0321-4622-b0bc-63518fd14454
queryFrequency: 1h
status: Available
version: 1.0.1
triggerOperator: gt
eventGroupingSettings:
  aggregationKind: AlertPerResult
tags:
- Schema: WebSession
  SchemaVersion: 0.2.6
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
- entityType: Host
  fieldMappings:
  - columnName: SrcHostname
    identifier: HostName
- entityType: Account
  fieldMappings:
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix