Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, or to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. An attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines created and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | AzureDevOpsAuditing |
| ID | 17f23fbe-bb73-4324-8ecf-a18545a5dc26 |
| Severity | Medium |
| Status | Available |
| Kind | Scheduled |
| Tactics | Execution |
| Techniques | T1072 |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
ADOAuditLogs_CL |
? | ✓ | ? |
AzureDevOpsAuditing |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊