parse_user_agent()

Article
09/30/2024

Applies to: ✅ Azure Data Explorer ✅ Azure Monitor ✅ Microsoft Sentinel

Interprets a user-agent string, which identifies the user's browser and provides certain system details to servers hosting the websites the user visits. The result is returned as dynamic.

Syntax

parse_user_agent(user-agent-string, look-for)

Learn more about syntax conventions.

Parameters

Name	Type	Required	Description
user-agent-string	`string`	✔️	The user-agent string to parse.
look-for	string or dynamic	✔️	The value to search for in user-agent-string. The possible options are "browser", "os", or "device". If only a single parsing target is required, it can be passed a `string` parameter. If two or three targets are required, they can be passed as a `dynamic` array.

Returns

An object of type dynamic that contains the information about the requested parsing targets.

Browser: Family, MajorVersion, MinorVersion, Patch

OperatingSystem: Family, MajorVersion, MinorVersion, Patch, PatchMinor

Device: Family, Brand, Model

Warning

The function implementation is built on regex checks of the input string against a huge number of predefined patterns. Therefore the expected time and CPU consumption is high. When the function is used in a query, make sure it runs in a distributed manner on multiple machines. If queries with this function are frequently used, you may want to pre-create the results via update policy, but you need to take into account that using this function inside the update policy will increase the ingestion latency.

Examples

Look-for parameter as string

Run the query

print useragent = "Mozilla/5.0 (Windows; U; en-US) AppleWebKit/531.9 (KHTML, like Gecko) AdobeAIR/2.5.1"
| extend x = parse_user_agent(useragent, "browser")

Expected result is a dynamic object:

{
  "Browser": {
    "Family": "AdobeAIR",
    "MajorVersion": "2",
    "MinorVersion": "5",
    "Patch": "1"
  }
}

Look-for parameter as dynamic array