-
Notifications
You must be signed in to change notification settings - Fork 3.6k
Expand file tree
/
Copy pathSolution_AzureDevOpsAuditing.json
More file actions
56 lines (56 loc) · 3.73 KB
/
Solution_AzureDevOpsAuditing.json
File metadata and controls
56 lines (56 loc) · 3.73 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
{
"Name": "AzureDevOpsAuditing",
"Author": "Microsoft - support@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/AzureDevOps.svg\" width=\"75px\" height=\"75px\">",
"Description": "The [Azure DevOps](https://azure.microsoft.com/products/devops/) Auditing solution for Microsoft Sentinel allows monitoring Azure DevOps [audit events](https://docs.microsoft.com/azure/devops/organizations/audit/azure-devops-auditing?view=azure-devops&tabs=preview-page#review-audit-log) to enable detection of malicious and/or unauthorized access and modification in the repository or pipelines. The streaming of [Azure DevOps Audit logs to Azure Monitor](https://docs.microsoft.com/azure/devops/organizations/audit/auditing-streaming?view=azure-devops) must be configured to start ingesting audit events. <p><span style='color:red; font-weight:bold;'>NOTE</span>: Microsoft recommends installation of Azure DevOps Audit Logs (Preview) (via Codeless Connector Platform). This connector is build on the Codeless Connector Platform (CCP), which uses the Log Ingestion API, which replaces ingestion via the <a href='https://learn.microsoft.com/en-us/azure/azure-monitor/logs/custom-logs-migrate' style='color:#1890F1;'>deprecated HTTP Data Collector API</a>. CCP-based data connectors also support <a href='https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-overview' style='color:#1890F1;'>Data Collection Rules</a> (DCRs) offering transformations and enrichment.</p> ",
"Data Connectors": [
"Data Connectors/AzureDevOpsAuditLogs_CCP/AzureDevOpsAuditLogs_DataConnectorDefinition.json"
],
"Analytic Rules": [
"Analytic Rules/ADOAgentPoolCreatedDeleted.yaml",
"Analytic Rules/ADOAuditStreamDisabled.yaml",
"Analytic Rules/ADOMaliciousToolingDetections1.yaml",
"Analytic Rules/ADONewExtensionAdded.yaml",
"Analytic Rules/ADOPATUsedWithBrowser.yaml",
"Analytic Rules/ADOPipelineModifiedbyNewUser.yaml",
"Analytic Rules/ADORetentionReduced.yaml",
"Analytic Rules/ADOSecretNotSecured.yaml",
"Analytic Rules/ADOVariableModifiedByNewUser.yaml",
"Analytic Rules/AzDOAdminGroupAdditions.yaml",
"Analytic Rules/AzDOHistoricPrPolicyBypassing.yaml",
"Analytic Rules/AzDOHistoricServiceConnectionAdds.yaml",
"Analytic Rules/AzDOPatSessionMisuse.yaml",
"Analytic Rules/AzDOPipelineCreatedDeletedOneDay.yaml",
"Analytic Rules/AzDOServiceConnectionUsage.yaml",
"Analytic Rules/ExternalUpstreamSourceAddedtoAzureDevOpsFeed.yaml",
"Analytic Rules/NewAgentAddedToPoolbyNewUserorofNewOS.yaml",
"Analytic Rules/NewPAPCAPCASaddedtoADO.yaml",
"Analytic Rules/NRT_ADOAuditStreamDisabled.yaml"
],
"Hunting Queries": [
"Hunting Queries/EntraID Conditional Access Disabled.yaml",
"Hunting Queries/Addtional Org Admin Added.yaml",
"Hunting Queries/ADOBuildCheckDeleted.yaml",
"Hunting Queries/ADOBuildDeletedAfterPipelineMod.yaml",
"Hunting Queries/ADOInternalUpstreamPacakgeFeedAdded.yaml",
"Hunting Queries/ADONewAgentPoolCreated.yaml",
"Hunting Queries/ADONewPackageFeedCreated.yaml",
"Hunting Queries/ADONewPATOperation.yaml",
"Hunting Queries/ADONewReleaseApprover.yaml",
"Hunting Queries/ADOReleasePipelineCreated.yaml",
"Hunting Queries/ADOVariableCreatedDeleted.yaml",
"Hunting Queries/AzDODisplayNameSwapping.yaml",
"Hunting Queries/AzDOPrPolicyBypassers.yaml",
"Hunting Queries/Guest users access enabled.yaml",
"Hunting Queries/Project visibility changed to public.yaml",
"Hunting Queries/Public project created.yaml",
"Hunting Queries/Public Projects enabled.yaml"
],
"Parsers": [
"Parsers/ADOAuditLogs.yaml"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\Users\\rahkuma\\Downloads\\Github\\Azure-Sentinel\\Solutions\\AzureDevOpsAuditing",
"Version": "3.0.4",
"TemplateSpec": true
}