Forum Discussion
Unusual user agent found in table AADNonInteractiveUserSignInLogs
Hello,
Investigating the registers of the table "AADNonInteractiveUserSignInLogs", I have found a user-agent "Rich Client 4.40.0.0", which investigating via web I have not found information about it, neither I have knowledge of what this user-agent is about.
Has anyone seen this in a case related to Azure log-ins?
Regards.
5 Replies
https://techcommunity.microsoft.com/t5/s/gxcuf89792/rss/board?board.id=MicrosoftSentinel
Chris_321 we're seeing this too. Login attempts on accounts coming from "Windows 10" devices with "Rich Client 4.40.0.0", always from Microsoft Datacentres.
There is some correlation between the person who's account appears in Sentinel and the time/service they are actively using (i.e. the logs will appear from "Exchange Online" with the above user agents and a Microsoft IP when that account is actively using Exchange Online).
We're fairly sure Sentinel is just reading Microsoft service logins (possibly misconfigurations) elsewhere in the cloud, but we've had zero feedback from Microsoft regarding this, despite submitting support tickets when it happens.
It's either an attack using Microsoft cloud resource, or it's a misconfiguration causing SIEM/security log noise across numerous tenants. In either case, you'd think Microsoft would be more interested, but here we are.. 2 years later, and it's still happening.- I have not seen this in my environment but it sounds like a phone app or something similar
- But the connection is made via Microsoft authenticator to validate the authentication by MFA, i.e. the user agent Rich Client 4.40.0.0.0 is the Microsoft authenticator?
- Could it be the Azure app someone is running on their phone? Or possibly a different app that uses the MS MFA?
