Azure · rahul0216 · Jul 20, 2024 · Jul 15, 2024 · Jul 16, 2024
@@ -13,6 +13,8 @@ triggerOperator: gt
 triggerThreshold: 0
 tactics:
   - CredentialAccess
+relevantTechniques:
+  - T1528
 query: |
   AzureDevOpsAuditing
   | where AuthenticationMechanism startswith "PAT"
@@ -32,5 +34,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IpAddress
-version: 1.0.4
+version: 1.0.5
 kind: Scheduled
@@ -45,7 +45,7 @@
   ],
   "Metadata": "SolutionMetadata.json",
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\AzureDevOpsAuditing",
-  "Version": "3.0.2",
+  "Version": "3.0.3",
   "TemplateSpec": true,
   "Is1PConnector": true
 }
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/AzureDevOpsAuditing/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Azure DevOps](https://azure.microsoft.com/products/devops/) Auditing solution for Microsoft Sentinel allows monitoring Azure DevOps [audit events](https://docs.microsoft.com/azure/devops/organizations/audit/azure-devops-auditing?view=azure-devops&tabs=preview-page#review-audit-log) to enable detection of malicious and/or unauthorized access and modification in the repository or pipelines.  The streaming of [Azure DevOps Audit logs to Azure Monitor](https://docs.microsoft.com/azure/devops/organizations/audit/auditing-streaming?view=azure-devops) must be configured to start ingesting audit events.\n\n**Analytic Rules:** 19, **Hunting Queries:** 17\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/AzureDevOpsAuditing/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Azure DevOps](https://azure.microsoft.com/products/devops/) Auditing solution for Microsoft Sentinel allows monitoring Azure DevOps [audit events](https://docs.microsoft.com/azure/devops/organizations/audit/azure-devops-auditing?view=azure-devops&tabs=preview-page#review-audit-log) to enable detection of malicious and/or unauthorized access and modification in the repository or pipelines.  The streaming of [Azure DevOps Audit logs to Azure Monitor](https://docs.microsoft.com/azure/devops/organizations/audit/auditing-streaming?view=azure-devops) must be configured to start ingesting audit events.\n\n**Analytic Rules:** 19, **Hunting Queries:** 17\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -86,7 +86,7 @@
                 "name": "analytic1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.\nAzure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this \ndetection focuses on the creation of new self-hosted pools. To further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), \nas an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity."
+                  "text": "As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.\nAzure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this   detection focuses on the creation of new self-hosted pools.\nTo further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), as an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity."
                 }
               }
             ]
@@ -100,7 +100,7 @@
                 "name": "analytic2-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \nbefore conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \nits unlikely to have a high false positive rate."
+                  "text": "Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams before conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action its unlikely to have a high false positive rate."
                 }
               }
             ]
@@ -156,7 +156,7 @@
                 "name": "analytic6-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. \nThis detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Microsoft Entra ID Protection \nin order to show if the user conducting the action has any associated Microsoft Entra ID Protection alerts. You can also choose to filter this detection to only alert when the user also has Microsoft Entra ID Protection alerts associated with them."
+                  "text": "There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. \nThis detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Microsoft Entra ID Protection in order to show if the user conducting the action has any associated Microsoft Entra ID Protection alerts. You can also choose to filter this detection to only alert when the user also has Microsoft Entra ID Protection alerts associated with them."
                 }
               }
             ]
@@ -198,7 +198,7 @@
                 "name": "analytic9-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify \nor add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users, \njust detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed \nmodifying them before."
+                  "text": "Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify or add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build.\nAs variables are often changed by users, just detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed modifying them before."
                 }
               }
             ]
@@ -240,7 +240,7 @@
                 "name": "analytic12-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and\nnot historically included in the allow list Build/Release runs.  This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections."
+                  "text": "This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and not historically included in the allow list Build/Release runs.\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections."
                 }
               }
             ]
@@ -268,7 +268,7 @@
                 "name": "analytic14-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, \nor to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. \nAn attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines \ncreated and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases."
+                  "text": "An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, or to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. \nAn attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines created and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases."
                 }
               }
             ]
@@ -282,7 +282,7 @@
                 "name": "analytic15-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Flags builds/releases that use a large number of service connections if they aren't manually in the allow list.\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse\nor dump credentials from service connections."
+                  "text": "Flags builds/releases that use a large number of service connections if they aren't manually in the allow list.\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections."
                 }
               }
             ]
@@ -310,7 +310,7 @@
                 "name": "analytic17-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. \nAn attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have \nnot added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a \nconfigurable allow list to allow for certain users to be excluded from the logic."
+                  "text": "As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. \nAn attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have not added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a configurable allow list to allow for certain users to be excluded from the logic."
                 }
               }
             ]
@@ -324,7 +324,7 @@
                 "name": "analytic18-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. \nThis detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of \nusers granted these permissions should be small. Note that permissions can also be granted via Microsoft Entra ID Protection groups and monitoring of these \nshould also be conducted."
+                  "text": "In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. \nThis detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of users granted these permissions should be small. Note that permissions can also be granted via Microsoft Entra ID Protection groups and monitoring of these should also be conducted."
                 }
               }
             ]
@@ -338,7 +338,7 @@
                 "name": "analytic19-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \n before conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \n its unlikely to have a high false positive rate."
+                  "text": "Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams before conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action its unlikely to have a high false positive rate."
                 }
               }
             ]