Azure DevOps Auditing

Solution: AzureDevOpsAuditing

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Solutions Index

---

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com/
Categories	domains
Version	3.0.8
Author	Microsoft - support@microsoft.com
First Published	2022-09-20
Last Updated	2026-02-17
Solution Folder	AzureDevOpsAuditing
Marketplace	Azure Marketplace · Popularity: 🟢 High (88%)

The Azure DevOps Auditing solution for Microsoft Sentinel allows monitoring Azure DevOps audit events to enable detection of malicious and/or unauthorized access and modification in the repository or pipelines.

NOTE: Microsoft recommends installation of Azure DevOps Audit Logs (Preview) (via Codeless Connector Platform). This connector is build on the Codeless Connector Platform (CCP), which uses the Log Ingestion API, which replaces ingestion via the deprecated HTTP Data Collector API. CCP-based data connectors also support Data Collection Rules (DCRs) offering transformations and enrichment.

Contents

• Data Connectors
• Tables Used
• Content Items

Data Connectors

This solution provides 1 data connector(s):

• Azure DevOps Audit Logs (via Codeless Connector Platform)

Tables Used

This solution uses 2 table(s):

Table	Used By Connectors	Used By Content
ADOAuditLogs_CL	Azure DevOps Audit Logs (via Codeless Connector Platform)	Analytics, Hunting
AzureDevOpsAuditing	-	Analytics, Hunting

Internal Tables

The following 1 table(s) are used internally by this solution's content items:

Table	Used By Connectors	Used By Content
SecurityAlert	-	Analytics, Hunting

Content Items

This solution includes 37 content item(s):

Content Type	Count
Analytic Rules	19
Hunting Queries	17
Parsers	1

Analytic Rules

Name	Severity	Tactics	Tables Used
Azure DevOps Administrator Group Monitoring	Medium	Persistence	ADOAuditLogs_CL AzureDevOpsAuditing
Azure DevOps Agent Pool Created Then Deleted	High	DefenseEvasion	ADOAuditLogs_CL AzureDevOpsAuditing
Azure DevOps Audit Detection for known malicious tooling	High	Collection	ADOAuditLogs_CL AzureDevOpsAuditing
Azure DevOps Audit Stream Disabled	High	DefenseEvasion	ADOAuditLogs_CL AzureDevOpsAuditing
Azure DevOps Build Variable Modified by New User	Medium	DefenseEvasion	ADOAuditLogs_CL AzureDevOpsAuditing
Azure DevOps New Extension Added	Low	Persistence	ADOAuditLogs_CL AzureDevOpsAuditing
Azure DevOps PAT used with Browser	Medium	CredentialAccess	ADOAuditLogs_CL AzureDevOpsAuditing
Azure DevOps Personal Access Token (PAT) misuse	High	Execution, Impact	ADOAuditLogs_CL AzureDevOpsAuditing
Azure DevOps Pipeline Created and Deleted on the Same Day	Medium	Execution	ADOAuditLogs_CL AzureDevOpsAuditing
Azure DevOps Pipeline modified by a new user	Medium	Execution, DefenseEvasion	ADOAuditLogs_CL AzureDevOpsAuditing Internal use: SecurityAlert
Azure DevOps Pull Request Policy Bypassing - Historic allow list	Medium	Persistence	ADOAuditLogs_CL AzureDevOpsAuditing
Azure DevOps Retention Reduced	Low	DefenseEvasion	ADOAuditLogs_CL AzureDevOpsAuditing
Azure DevOps Service Connection Abuse	Medium	Persistence, Impact	ADOAuditLogs_CL AzureDevOpsAuditing
Azure DevOps Service Connection Addition/Abuse - Historic allow list	Medium	Persistence, Impact	ADOAuditLogs_CL AzureDevOpsAuditing
Azure DevOps Variable Secret Not Secured	Medium	CredentialAccess	ADOAuditLogs_CL AzureDevOpsAuditing
External Upstream Source Added to Azure DevOps Feed	Medium	InitialAccess	ADOAuditLogs_CL AzureDevOpsAuditing
NRT Azure DevOps Audit Stream Disabled	High	DefenseEvasion	ADOAuditLogs_CL AzureDevOpsAuditing
New Agent Added to Pool by New User or Added to a New OS Type	Medium	Execution	ADOAuditLogs_CL AzureDevOpsAuditing
New PA, PCA, or PCAS added to Azure DevOps	Medium	InitialAccess	ADOAuditLogs_CL AzureDevOpsAuditing

Hunting Queries

Name	Tactics	Tables Used
Azure DevOps - Build Check Deleted	DefenseEvasion	ADOAuditLogs_CL AzureDevOpsAuditing
Azure DevOps - Build Deleted After Pipeline Modification	Persistence	ADOAuditLogs_CL AzureDevOpsAuditing
Azure DevOps - Internal Upstream Package Feed Added	InitialAccess	ADOAuditLogs_CL AzureDevOpsAuditing
Azure DevOps - New Agent Pool Created	DefenseEvasion	ADOAuditLogs_CL AzureDevOpsAuditing
Azure DevOps - New PAT Operation	DefenseEvasion	ADOAuditLogs_CL AzureDevOpsAuditing
Azure DevOps - New Package Feed Created	InitialAccess	ADOAuditLogs_CL AzureDevOpsAuditing Internal use: SecurityAlert
Azure DevOps - New Release Approver	DefenseEvasion	ADOAuditLogs_CL AzureDevOpsAuditing
Azure DevOps - New Release Pipeline Created	Persistence, Execution, PrivilegeEscalation	ADOAuditLogs_CL AzureDevOpsAuditing Internal use: SecurityAlert
Azure DevOps - Variable Created and Deleted	DefenseEvasion	ADOAuditLogs_CL AzureDevOpsAuditing
Azure DevOps Display Name Changes	Persistence, DefenseEvasion	ADOAuditLogs_CL AzureDevOpsAuditing
Azure DevOps Pull Request Policy Bypassing	Execution	ADOAuditLogs_CL AzureDevOpsAuditing
Azure DevOps- Addtional Org Admin added	Persistence, DefenseEvasion	ADOAuditLogs_CL AzureDevOpsAuditing
Azure DevOps- Guest users access enabled	Persistence, DefenseEvasion	ADOAuditLogs_CL AzureDevOpsAuditing
Azure DevOps- Microsoft Entra ID Protection Conditional Access Disabled	Persistence, DefenseEvasion	ADOAuditLogs_CL AzureDevOpsAuditing
Azure DevOps- Project visibility changed to public	Collection	ADOAuditLogs_CL AzureDevOpsAuditing
Azure DevOps- Public project created	Persistence, DefenseEvasion	ADOAuditLogs_CL AzureDevOpsAuditing
Azure DevOps- Public project enabled by admin	Persistence, DefenseEvasion	ADOAuditLogs_CL AzureDevOpsAuditing

Parsers

Name	Description	Tables Used
ADOAuditLogs

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.8	26-01-2026	Updated Data Connector to support dynamic Redirect URI
3.0.7	22-01-2026	Updated solution description by eliminating legacy streaming text
3.0.6	19-06-2025	Updated Data Connector instructions to include a note about User permissions.
3.0.5	05-05-2025	Updated Data Connector instructions.
3.0.4	15-04-2025	Added new CCP Connector - Azure DevOps Audit Logs.
3.0.3	16-07-2024	Updated the Analytic rules for missing TTP.
3.0.2	23-01-2024	Updated the solution to fix Analytic Rules deployment issue.
3.0.1	27-11-2023	Added new Entity Mappings to Analytic Rules.
3.0.0	06-11-2023	Modified text as there is rebranding from Azure Active Directory to Microsoft Entra ID.

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Solutions Index