Python User-Agent Detected [RULE-1163]
This rule detects sign-in activity on Entra ID using a Python User-Agent, such as "python-requests" or "roadtools". This can indicate the use of hacking tools like ROADtools, which attackers use to systematically gather information from your Entra ID environment.
Rationale
A normal user or application signs in via a browser or mobile app with standard user agents like "Mozilla/5.0" or "Microsoft Teams". When a login occurs with a Python user agent like "python-requests" or "roadtools", this almost always indicates automated tooling not intended for normal business processes.
Attackers who have gained access to credentials (for example via phishing, password spraying or credential stuffing) use tools like ROADtools to explore the environment without further detection. The tool can provide a complete overview of all admin accounts, role assignments, application permissions, external users, and other security-relevant configurations within minutes. This information is used to plan the next attack steps: privilege escalation, lateral movement, or identifying high-value targets.
Detecting Python user agents is an early indicator of an active attacker who already has access to an account. The attacker is in the reconnaissance phase (MITRE ATT&CK: Discovery) and is trying to understand how your environment works before causing further damage. This is the moment to intervene before the attack escalates to data exfiltration or compromising privileged accounts.