I would like to be able to search Microsoft 365 user agents in the Elastic data for a couple of reasons. One, is that it helps me identify older protocols, for example CBAInPROD indicates POP or IMAP so I can recommend that they be disabled or that an attacker used them.
When there is an account compromise, I can find attacker source IP addresses by comparing the various user agent strings. This is helpful when attackers compromise accounts from within the same country as the organization as most of the time the attacker's user agent will be different than the non-malicious user agent login.
I would like to build a detection rule that can alert when an account is accessed by a rare user agent.
As it is, when I try to look at user agents, they are under Extended Properties. Can the user agent be broken out into a field?
1 Like