AzureDevOpsAuditing

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Tables Index

---

Attribute	Value
Supports Transformations	✓ Yes (source)
Ingestion API Supported	✗ No

Contents

• Solutions
• Content Items
• Parsers

Solutions (3)

This table is used by the following solutions:

• AzureDevOpsAuditing
• AzureSecurityBenchmark
• ContinuousDiagnostics&Mitigation

---

Content Items Using This Table (38)

Analytic Rules (19)

In solution AzureDevOpsAuditing:

Analytic Rule	Selection Criteria
Azure DevOps Administrator Group Monitoring
Azure DevOps Agent Pool Created Then Deleted
Azure DevOps Audit Detection for known malicious tooling
Azure DevOps Audit Stream Disabled
Azure DevOps Build Variable Modified by New User
Azure DevOps New Extension Added
Azure DevOps PAT used with Browser
Azure DevOps Personal Access Token (PAT) misuse
Azure DevOps Pipeline Created and Deleted on the Same Day
Azure DevOps Pipeline modified by a new user
Azure DevOps Pull Request Policy Bypassing - Historic allow list
Azure DevOps Retention Reduced
Azure DevOps Service Connection Abuse
Azure DevOps Service Connection Addition/Abuse - Historic allow list
Azure DevOps Variable Secret Not Secured
External Upstream Source Added to Azure DevOps Feed
NRT Azure DevOps Audit Stream Disabled
New Agent Added to Pool by New User or Added to a New OS Type
New PA, PCA, or PCAS added to Azure DevOps

Hunting Queries (17)

In solution AzureDevOpsAuditing:

Hunting Query	Selection Criteria
Azure DevOps - Build Check Deleted
Azure DevOps - Build Deleted After Pipeline Modification
Azure DevOps - Internal Upstream Package Feed Added
Azure DevOps - New Agent Pool Created
Azure DevOps - New PAT Operation
Azure DevOps - New Package Feed Created
Azure DevOps - New Release Approver
Azure DevOps - New Release Pipeline Created
Azure DevOps - Variable Created and Deleted
Azure DevOps Display Name Changes
Azure DevOps Pull Request Policy Bypassing
Azure DevOps- Addtional Org Admin added
Azure DevOps- Guest users access enabled
Azure DevOps- Microsoft Entra ID Protection Conditional Access Disabled
Azure DevOps- Project visibility changed to public
Azure DevOps- Public project created
Azure DevOps- Public project enabled by admin

Workbooks (2)

In solution AzureSecurityBenchmark:

Workbook	Selection Criteria
AzureSecurityBenchmark

In solution ContinuousDiagnostics&Mitigation:

Workbook	Selection Criteria
ContinuousDiagnostics&Mitigation

Parsers Using This Table (1)

Other Parsers (1)

Parser	Solution	Selection Criteria
ADOAuditLogs	AzureDevOpsAuditing

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Tables Index