Skip to content

Commit ce56017

Browse files
authored
Merge pull request #12020 from Azure/origins/users/rahul/ado-auditlog-dataconnector
Azure DevOps Audit Log CCP
2 parents a90d8fb + d3d1f94 commit ce56017

49 files changed

Lines changed: 1957 additions & 248 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
Lines changed: 114 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,114 @@
1+
{
2+
"FunctionName": "ADOAuditLogs",
3+
"FunctionParameters": [],
4+
"FunctionResultColumns": [
5+
{
6+
"name": "TimeGenerated",
7+
"type": "datetime"
8+
},
9+
{
10+
"name": "ActivityId",
11+
"type": "string"
12+
},
13+
{
14+
"name": "ActorCUID",
15+
"type": "string"
16+
},
17+
{
18+
"name": "ActorClientId",
19+
"type": "string"
20+
},
21+
{
22+
"name": "ActorDisplayName",
23+
"type": "string"
24+
},
25+
{
26+
"name": "ActorImageUrl",
27+
"type": "string"
28+
},
29+
{
30+
"name": "ActorUPN",
31+
"type": "string"
32+
},
33+
{
34+
"name": "ActorUserId",
35+
"type": "string"
36+
},
37+
{
38+
"name": "Area",
39+
"type": "string"
40+
},
41+
{
42+
"name": "AuthenticationMechanism",
43+
"type": "string"
44+
},
45+
{
46+
"name": "Category",
47+
"type": "string"
48+
},
49+
{
50+
"name": "CategoryDisplayName",
51+
"type": "string"
52+
},
53+
{
54+
"name": "CorrelationId",
55+
"type": "string"
56+
},
57+
{
58+
"name": "Data",
59+
"type": "dynamic"
60+
},
61+
{
62+
"name": "Details",
63+
"type": "string"
64+
},
65+
{
66+
"name": "Id",
67+
"type": "string"
68+
},
69+
{
70+
"name": "IpAddress",
71+
"type": "string"
72+
},
73+
{
74+
"name": "OperationName",
75+
"type": "string"
76+
},
77+
{
78+
"name": "ProjectId",
79+
"type": "string"
80+
},
81+
{
82+
"name": "ProjectName",
83+
"type": "string"
84+
},
85+
{
86+
"name": "ScopeDisplayName",
87+
"type": "string"
88+
},
89+
{
90+
"name": "ScopeId",
91+
"type": "string"
92+
},
93+
{
94+
"name": "ScopeType",
95+
"type": "string"
96+
},
97+
{
98+
"name": "UserAgent",
99+
"type": "string"
100+
},
101+
{
102+
"name": "Type",
103+
"type": "string"
104+
},
105+
{
106+
"name": "TenantId",
107+
"type": "string"
108+
},
109+
{
110+
"name": "SourceSystem",
111+
"type": "string"
112+
}
113+
]
114+
}
Lines changed: 101 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,101 @@
1+
{
2+
"Name": "ADOAuditLogs_CL",
3+
"Properties": [
4+
{
5+
"name": "TimeGenerated",
6+
"type": "datetime"
7+
},
8+
{
9+
"name": "ActionId",
10+
"type": "string"
11+
},
12+
{
13+
"name": "ActivityId",
14+
"type": "string"
15+
},
16+
{
17+
"name": "ActorCUID",
18+
"type": "string"
19+
},
20+
{
21+
"name": "ActorClientId",
22+
"type": "string"
23+
},
24+
{
25+
"name": "ActorDisplayName",
26+
"type": "string"
27+
},
28+
{
29+
"name": "ActorImageUrl",
30+
"type": "string"
31+
},
32+
{
33+
"name": "ActorUPN",
34+
"type": "string"
35+
},
36+
{
37+
"name": "ActorUserId",
38+
"type": "string"
39+
},
40+
{
41+
"name": "Area",
42+
"type": "string"
43+
},
44+
{
45+
"name": "AuthenticationMechanism",
46+
"type": "string"
47+
},
48+
{
49+
"name": "Category",
50+
"type": "string"
51+
},
52+
{
53+
"name": "CategoryDisplayName",
54+
"type": "string"
55+
},
56+
{
57+
"name": "CorrelationId",
58+
"type": "string"
59+
},
60+
{
61+
"name": "Data",
62+
"type": "dynamic"
63+
},
64+
{
65+
"name": "Details",
66+
"type": "string"
67+
},
68+
{
69+
"name": "Id",
70+
"type": "string"
71+
},
72+
{
73+
"name": "IpAddress",
74+
"type": "string"
75+
},
76+
{
77+
"name": "ProjectId",
78+
"type": "string"
79+
},
80+
{
81+
"name": "ProjectName",
82+
"type": "string"
83+
},
84+
{
85+
"name": "ScopeDisplayName",
86+
"type": "string"
87+
},
88+
{
89+
"name": "ScopeId",
90+
"type": "string"
91+
},
92+
{
93+
"name": "ScopeType",
94+
"type": "string"
95+
},
96+
{
97+
"name": "UserAgent",
98+
"type": "string"
99+
}
100+
]
101+
}

Solutions/AzureDevOpsAuditing/Analytic Rules/ADOAgentPoolCreatedDeleted.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ relevantTechniques:
1818
query: |
1919
let lookback = 14d;
2020
let timewindow = 7d;
21-
AzureDevOpsAuditing
21+
ADOAuditLogs
2222
| where TimeGenerated > ago(lookback)
2323
| where OperationName =~ "Library.AgentPoolCreated"
2424
| extend AgentCloudId = tostring(Data.AgentCloudId)
@@ -31,7 +31,7 @@ query: |
3131
| extend IsLegacy = tostring(Data.IsLegacy)
3232
| extend timekey = bin(TimeGenerated, timewindow)
3333
// Join only with pools deleted in the same window
34-
| join (AzureDevOpsAuditing
34+
| join (ADOAuditLogs
3535
| where TimeGenerated > ago(lookback)
3636
| where OperationName =~ "Library.AgentPoolDeleted"
3737
| extend AgentPoolName = tostring(Data.AgentPoolName)
@@ -53,5 +53,5 @@ entityMappings:
5353
fieldMappings:
5454
- identifier: Address
5555
columnName: IpAddress
56-
version: 1.0.4
56+
version: 1.0.5
5757
kind: Scheduled

Solutions/AzureDevOpsAuditing/Analytic Rules/ADOAuditStreamDisabled.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ tactics:
1414
relevantTechniques:
1515
- T1562.008
1616
query: |
17-
AzureDevOpsAuditing
17+
ADOAuditLogs
1818
| where OperationName =~ "AuditLog.StreamDisabledByUser"
1919
| extend StreamType = tostring(Data.ConsumerType)
2020
| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType
@@ -33,5 +33,5 @@ entityMappings:
3333
fieldMappings:
3434
- identifier: Address
3535
columnName: IpAddress
36-
version: 1.0.4
36+
version: 1.0.5
3737
kind: Scheduled

Solutions/AzureDevOpsAuditing/Analytic Rules/ADOMaliciousToolingDetections1.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ tactics:
1414
relevantTechniques:
1515
- T1119
1616
query: |
17-
AzureDevOpsAuditing
17+
ADOAuditLogs
1818
// Look for known bad user agents
1919
| where UserAgent has_any ("ADOKit")
2020
| extend timestamp = TimeGenerated
@@ -32,5 +32,5 @@ entityMappings:
3232
fieldMappings:
3333
- identifier: Address
3434
columnName: IpAddress
35-
version: 1.0.3
35+
version: 1.0.4
3636
kind: Scheduled

Solutions/AzureDevOpsAuditing/Analytic Rules/ADONewExtensionAdded.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ relevantTechniques:
1616
- T1505
1717
query: |
1818
let allowed_publishers = dynamic([]);
19-
AzureDevOpsAuditing
19+
ADOAuditLogs
2020
| where OperationName =~ "Extension.Installed"
2121
| extend ExtensionName = tostring(Data.ExtensionName)
2222
| extend PublisherName = tostring(Data.PublisherName)
@@ -37,5 +37,5 @@ entityMappings:
3737
fieldMappings:
3838
- identifier: Address
3939
columnName: IpAddress
40-
version: 1.0.3
40+
version: 1.0.4
4141
kind: Scheduled

Solutions/AzureDevOpsAuditing/Analytic Rules/ADOPATUsedWithBrowser.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ tactics:
1616
relevantTechniques:
1717
- T1528
1818
query: |
19-
AzureDevOpsAuditing
19+
ADOAuditLogs
2020
| where AuthenticationMechanism startswith "PAT"
2121
// Look for useragents that include a redenring engine
2222
| where UserAgent has_any ("Gecko", "WebKit", "Presto", "Trident", "EdgeHTML", "Blink")
@@ -34,5 +34,5 @@ entityMappings:
3434
fieldMappings:
3535
- identifier: Address
3636
columnName: IpAddress
37-
version: 1.0.5
37+
version: 1.0.6
3838
kind: Scheduled

Solutions/AzureDevOpsAuditing/Analytic Rules/ADOPipelineModifiedbyNewUser.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -22,14 +22,14 @@ query: |
2222
// Set the period for detections
2323
let timeframe = 1d;
2424
// Get a list of previous Release Pipeline creators to exclude
25-
let releaseusers = AzureDevOpsAuditing
25+
let releaseusers = ADOAuditLogs
2626
| where TimeGenerated > ago(timeback) and TimeGenerated < ago(timeframe)
2727
| where OperationName in ("Release.ReleasePipelineCreated", "Release.ReleasePipelineModified")
2828
// We want to look for users performing actions in specific projects so we create this userscope object to match on
2929
| extend UserScope = strcat(ActorUserId, "-", ProjectName)
3030
| summarize by UserScope;
3131
// Get Release Pipeline creations by new users
32-
AzureDevOpsAuditing
32+
ADOAuditLogs
3333
| where TimeGenerated > ago(timeframe)
3434
| where OperationName =~ "Release.ReleasePipelineModified"
3535
| extend UserScope = strcat(ActorUserId, "-", ProjectName)
@@ -61,5 +61,5 @@ entityMappings:
6161
fieldMappings:
6262
- identifier: Address
6363
columnName: IpAddress
64-
version: 1.0.7
64+
version: 1.0.8
6565
kind: Scheduled

Solutions/AzureDevOpsAuditing/Analytic Rules/ADORetentionReduced.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ tactics:
1515
relevantTechniques:
1616
- T1564
1717
query: |
18-
AzureDevOpsAuditing
18+
ADOAuditLogs
1919
| where OperationName =~ "Pipelines.PipelineRetentionSettingChanged"
2020
| where Data.SettingName in ("PurgeArtifacts", "PurgeRuns")
2121
| where Data.NewValue == 1 or Data.NewValue < Data.OldValue/2
@@ -35,5 +35,5 @@ entityMappings:
3535
fieldMappings:
3636
- identifier: Address
3737
columnName: IpAddress
38-
version: 1.0.4
38+
version: 1.0.5
3939
kind: Scheduled

Solutions/AzureDevOpsAuditing/Analytic Rules/ADOSecretNotSecured.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ relevantTechniques:
1616
- T1552
1717
query: |
1818
let keywords = dynamic(["secret", "secrets", "password", "PAT", "passwd", "pswd", "pwd", "cred", "creds", "credentials", "credential", "key"]);
19-
AzureDevOpsAuditing
19+
ADOAuditLogs
2020
| where OperationName =~ "Library.VariableGroupModified"
2121
| extend Type = tostring(Data.Type)
2222
| extend VariableGroupId = tostring(Data.VariableGroupId)
@@ -40,5 +40,5 @@ entityMappings:
4040
fieldMappings:
4141
- identifier: Address
4242
columnName: IpAddress
43-
version: 1.0.3
43+
version: 1.0.4
4444
kind: Scheduled

0 commit comments

Comments
 (0)