UI corrected for AzureDevAuditing

Azure · Nov 28, 2023 · f3e0d91 · f3e0d91
1 parent e6d9703
commit f3e0d91
Show file tree

Hide file tree

Showing 9 changed files with 674 additions and 673 deletions.
diff --git a/Solutions/AzureDevOpsAuditing/Analytic Rules/ADOPATUsedWithBrowser.yaml b/Solutions/AzureDevOpsAuditing/Analytic Rules/ADOPATUsedWithBrowser.yaml
@@ -1,5 +1,5 @@
 id: 5f0d80db-3415-4265-9d52-8466b7372e3a
-name: Azure DevOps PAT used with Browser.
+name: Azure DevOps PAT used with Browser
 description: |
   'Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. 
   This can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. 

diff --git a/Solutions/AzureDevOpsAuditing/Analytic Rules/ADOPipelineModifiedbyNewUser.yaml b/Solutions/AzureDevOpsAuditing/Analytic Rules/ADOPipelineModifiedbyNewUser.yaml
@@ -1,5 +1,5 @@
 id: 155e9134-d5ad-4a6f-88f3-99c220040b66
-name: Azure DevOps Pipeline modified by a new user.
+name: Azure DevOps Pipeline modified by a new user
 description: |
   'There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. 
   This detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Microsoft Entra ID Protection 

diff --git a/Solutions/AzureDevOpsAuditing/Analytic Rules/ADOVariableModifiedByNewUser.yaml b/Solutions/AzureDevOpsAuditing/Analytic Rules/ADOVariableModifiedByNewUser.yaml
@@ -1,5 +1,5 @@
 id: 3b9a44d7-c651-45ed-816c-eae583a6f2f1
-name: Azure DevOps Build Variable Modified by New User.
+name: Azure DevOps Build Variable Modified by New User
 description: |
   'Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify 
   or add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users, 

diff --git a/Solutions/AzureDevOpsAuditing/Analytic Rules/NewAgentAddedToPoolbyNewUserorofNewOS.yaml b/Solutions/AzureDevOpsAuditing/Analytic Rules/NewAgentAddedToPoolbyNewUserorofNewOS.yaml
@@ -1,5 +1,5 @@
-id: 4ce177b3-56b1-4f0e-b83e-27eed4cb0b16
-name: New Agent Added to Pool by New User or Added to a New OS Type.
+id: 4ce177b3-56b1-4f0e-b83e-27eed4cb0b1
+name: New Agent Added to Pool by New User or Added to a New OS Type
 description: |
   'As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. 
   An attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have 

diff --git a/Solutions/AzureDevOpsAuditing/Hunting Queries/ADOBuildCheckDeleted.yaml b/Solutions/AzureDevOpsAuditing/Hunting Queries/ADOBuildCheckDeleted.yaml
@@ -1,5 +1,5 @@
 id: 940386c3-4b2c-4147-ac8e-dcddedaaae52
-name: Azure DevOps - Build Check Deleted.
+name: Azure DevOps - Build Check Deleted
 description: |
   'Build checks can be built into a pipeline in order control the release process, these can include things such as the successful passing of certain steps, or an explicit user approval. An attacker who has altered a build process may look to remove a check in order to ensure a compromised build is released. This hunting query simply looks for all check removal events,  these should be relatively uncommon. In the output Type shows the type of Check that was deleted. '
 requiredDataConnectors: []

diff --git a/Solutions/AzureDevOpsAuditing/Hunting Queries/ADOInternalUpstreamPacakgeFeedAdded.yaml b/Solutions/AzureDevOpsAuditing/Hunting Queries/ADOInternalUpstreamPacakgeFeedAdded.yaml
@@ -1,5 +1,5 @@
 id: 20be967c-4923-4c4b-8e1d-e1c95d537dc3
-name: Azure DevOps - Internal Upstream Package Feed Added.
+name: Azure DevOps - Internal Upstream Package Feed Added
 description: |
   'An attacker aiming to insert malicious code into a build process could look to introduce compromised upstream packages into the build process. Looking at internal packages can have a significant false positive rate compared to looking at external feeds so running this as a hunting query at least initially is advised. If an environment has low number of events it can be upgraded to a detection.'
 requiredDataConnectors: []

diff --git a/Solutions/AzureDevOpsAuditing/Package/3.0.1.zip b/Solutions/AzureDevOpsAuditing/Package/3.0.1.zip
diff --git a/Solutions/AzureDevOpsAuditing/Package/createUiDefinition.json b/Solutions/AzureDevOpsAuditing/Package/createUiDefinition.json
@@ -122,7 +122,7 @@
           {
             "name": "analytic4",
             "type": "Microsoft.Common.Section",
-            "label": "Azure DevOps PAT used with Browser.",
+            "label": "Azure DevOps PAT used with Browser",
             "elements": [
               {
                 "name": "analytic4-text",
@@ -136,7 +136,7 @@
           {
             "name": "analytic5",
             "type": "Microsoft.Common.Section",
-            "label": "Azure DevOps Pipeline modified by a new user.",
+            "label": "Azure DevOps Pipeline modified by a new user",
             "elements": [
               {
                 "name": "analytic5-text",
@@ -178,7 +178,7 @@
           {
             "name": "analytic8",
             "type": "Microsoft.Common.Section",
-            "label": "Azure DevOps Build Variable Modified by New User.",
+            "label": "Azure DevOps Build Variable Modified by New User",
             "elements": [
               {
                 "name": "analytic8-text",
@@ -290,7 +290,7 @@
           {
             "name": "analytic16",
             "type": "Microsoft.Common.Section",
-            "label": "New Agent Added to Pool by New User or Added to a New OS Type.",
+            "label": "New Agent Added to Pool by New User or Added to a New OS Type",
             "elements": [
               {
                 "name": "analytic16-text",
@@ -384,7 +384,7 @@
           {
             "name": "huntingquery3",
             "type": "Microsoft.Common.Section",
-            "label": "Azure DevOps - Build Check Deleted.",
+            "label": "Azure DevOps - Build Check Deleted",
             "elements": [
               {
                 "name": "huntingquery3-text",
@@ -412,7 +412,7 @@
           {
             "name": "huntingquery5",
             "type": "Microsoft.Common.Section",
-            "label": "Azure DevOps - Internal Upstream Package Feed Added.",
+            "label": "Azure DevOps - Internal Upstream Package Feed Added",
             "elements": [
               {
                 "name": "huntingquery5-text",