-
Notifications
You must be signed in to change notification settings - Fork 3.6k
Expand file tree
/
Copy pathAzureDevOpsAuditLogs_DataConnectorDefinition.json
More file actions
131 lines (131 loc) · 7.49 KB
/
AzureDevOpsAuditLogs_DataConnectorDefinition.json
File metadata and controls
131 lines (131 loc) · 7.49 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
{
"name": "AzureDevOpsAuditLogsCcpDefinition",
"apiVersion": "2024-09-01",
"type": "Microsoft.SecurityInsights/dataConnectorDefinitions",
"location": "{{location}}",
"kind": "Customizable",
"properties": {
"connectorUiConfig": {
"id": "AzureDevOpsAuditLogs",
"title": "Azure DevOps Audit Logs (via Codeless Connector Platform)",
"publisher": "Microsoft",
"descriptionMarkdown": "The Azure DevOps Audit Logs data connector allows you to ingest audit events from Azure DevOps into Microsoft Sentinel. This data connector is built using the Microsoft Sentinel Codeless Connector Platform, ensuring seamless integration. It leverages the Azure DevOps Audit Logs API to fetch detailed audit events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview). These transformations enable parsing of the received audit data into a custom table during ingestion, improving query performance by eliminating the need for additional parsing. By using this connector, you can gain enhanced visibility into your Azure DevOps environment and streamline your security operations.",
"graphQueriesTableName": "ADOAuditLogs_CL",
"graphQueries": [
{
"metricName": "Total events received",
"legend": "Azure DevOps Events",
"baseQuery": "{{graphQueriesTableName}}"
}
],
"sampleQueries": [
{
"description": "Get a sample of Azure DevOps audit logs",
"query": "{{graphQueriesTableName}}\n | take 10"
}
],
"dataTypes": [
{
"name": "{{graphQueriesTableName}}",
"lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriteria": [
{
"type": "HasDataConnectors"
}
],
"availability": {
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "Read and Write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "Read permissions to shared keys for the workspace are required.",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"name": "Azure DevOps Prerequisite",
"description": "Please ensure the following:<br> 1. Register an Entra App in Microsoft Entra Admin Center under App Registrations.<br> 2. In 'API permissions' - add Permissions to 'Azure DevOps - vso.auditlog'.<br> 3. In 'Certificates & secrets' - generate 'Client secret'.<br> 4. In 'Authentication' - add Redirect URI: 'https://portal.azure.com/TokenAuthorize/ExtensionName/Microsoft_Azure_Security_Insights'.<br> 5. In the Azure DevOps settings - enable audit log and set **View audit log** for the user. [Azure DevOps Auditing](https://learn.microsoft.com/en-us/azure/devops/organizations/audit/azure-devops-auditing?view=azure-devops&tabs=preview-page).<br> 6. Ensure the user assigned to connect the data connector has the View audit logs permission explicitly set to Allow at all times. This permission is essential for successful log ingestion. If the permission is revoked or not granted, data ingestion will fail or be interrupted."
}
]
},
"instructionSteps": [
{
"title": "Connect to Azure DevOps to start collecting Audit logs in Microsoft Sentinel.\n",
"instructions": [
{
"type": "Markdown",
"parameters": {
"content": "\n1. Enter the App you have registered.\n 2. In the 'Overview' section, copy the Application (client) ID.\n 3. Select the 'Endpoints' button, and copy the 'OAuth 2.0 authorization endpoint (v2)' value and the 'OAuth 2.0 token endpoint (v2)' value.\n 4. In the 'Certificates & secrets' section, copy the 'Client Secret value', and store it securely.\n5. Provide the required information below and click 'Connect'."
}
},
{
"type": "Textbox",
"parameters": {
"label": "Token Endpoint",
"name": "tokenEndpoint",
"placeholder": "https://login.microsoftonline.com/{TenantId}/oauth2/v2.0/token",
"type": "text",
"validations": {
"required": true
}
}
},
{
"type": "Textbox",
"parameters": {
"label": "Authorization Endpoint",
"name": "authorizationEndpoint",
"placeholder": "https://login.microsoftonline.com/{TenantId}/oauth2/v2.0/authorize",
"type": "text",
"validations": {
"required": true
}
}
},
{
"type": "Textbox",
"parameters": {
"label": "API Endpoint",
"name": "apiEndpoint",
"placeholder": "https://auditservice.dev.azure.com/{organizationName}/_apis/audit/auditlog?api-version=7.2-preview",
"type": "text",
"validations": {
"required": true
}
}
},
{
"type": "OAuthForm",
"parameters": {
"clientIdLabel": "App Client ID",
"clientSecretLabel": "App Client Secret",
"connectButtonLabel": "Connect",
"disconnectButtonLabel": "Disconnect"
}
}
]
}
]
}
}
}