Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs. This query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half.
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | AzureDevOpsAuditing |
| ID | 71d374e0-1cf8-4e50-aecd-ab6c519795c2 |
| Severity | Low |
| Status | Available |
| Kind | Scheduled |
| Tactics | DefenseEvasion |
| Techniques | T1564 |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
ADOAuditLogs_CL |
? | ✓ | ? |
AzureDevOpsAuditing |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊