Azure DevOps auditing with Microsoft Sentinel
Azure DevOps provides a comprehensive suite of tools for developers to manage the software development lifecycle and incorporate security practices into their development processes.
Azure DevOps Auditing is a centralized log management and analysis tool for administrators and security teams to monitor, investigate, and audit activities across Azure DevOps services. The primary goal is to enhance security, compliance, and operational integrity within the Azure DevOps environment. Here’s a more detailed overview of its functionalities and the reasons for using it.
Overview of Azure DevOps Auditing
- Centralized Logging: Azure DevOps Auditing consolidates logs from various projects and services under a single Azure DevOps organization, making it easier for administrators to monitor activities across the entire organization.
- Comprehensive Activity Tracking: It captures a wide range of activities, from changes in service connections and Azure Pipelines to modifications in permissions, access controls, and organizational policies. This broad spectrum of audited activities helps maintain a detailed record of operations, changes, and access throughout Azure DevOps services.
- Detailed Event Records: Each audited event includes critical details such as the action performed, the identity of the user or service that performed the action, the timestamp of the action, and the specific resources affected. This granularity aids in thorough investigations and audits.
Many activities are being logged, such as service connection changes, Azure pipeline changes, permission changes, access control modifications, project and repository changes, organizational policy changes, etc. You can find a detailed overview of all the areas, actions, and action categories being logged by Azure DevOps Auditing functionality here: Auditing events list.
Why Use Azure DevOps Auditing
Security: Azure DevOps Auditing helps identify and mitigate potential security threats by monitoring and logging critical changes and activities. It allows organizations to detect unauthorized access or modifications to their DevOps environment.
Compliance: For organizations subject to regulatory requirements, Azure DevOps Auditing provides the tools to ensure compliance with standards such as GDPR, HIPAA, SOC 2, etc. The ability to track and report on access and changes to sensitive data is crucial for regulatory audits.
Operational Integrity: Keeping a detailed log of changes and activities helps troubleshoot and understand the history of changes within the Azure DevOps environment. This can be invaluable for resolving issues and ensuring the operational integrity of development workflows.
Transparency and Accountability: Auditing establishes a culture of transparency and accountability within teams. It creates a traceable record of who did what and when, which can be critical for internal audits, forensic analysis, and maintaining operational best practices.
Custom Reporting and Analysis: Exporting and analyzing audit logs enables organizations to create custom reports, conduct in-depth security analyses, and integrate with external SIEM tools for advanced monitoring and alerting capabilities.
Azure DevOps Auditing integration with Microsoft Sentinel
Integrating Azure DevOps Auditing with Microsoft Sentinel provides a powerful combination for enhancing security and compliance across your DevOps and cloud environments. Microsoft Sentinel is a scalable, Cloud-Native, SIEM, and SOAR solution. By feeding Azure DevOps audit logs into Sentinel, organizations can leverage advanced analytics, machine learning capabilities, and integrated security intelligence to detect, investigate, and respond to potential threats in real time. Here’s how this integration can benefit and the steps involved in setting it up:
Benefits of Integration
Enhanced Security Monitoring: Sentinel can analyze audit logs from Azure DevOps for unusual activities, patterns, and potential security threats, offering a more comprehensive security posture.
Automated Threat Detection and Response: Sentinel’s SOAR capabilities allow you to automate responses to common threats detected in Azure DevOps activities, reducing the time and resources needed for manual interventions.
Advanced Analytics and AI: Leverage Sentinel’s machine learning and AI capabilities to identify sophisticated threats and anomalies within your DevOps environment.
Unified Security Management: Integrating Azure DevOps with Sentinel allows for centralized management of security alerts, logs, and responses across Azure and other cloud environments, streamlining security operations.
Regulatory Compliance: This integration helps maintain compliance with industry regulations by providing detailed audit trails, real-time security monitoring, and automated reporting capabilities.
How TO
You should follow these instructions to achieve the place of Threa-Hunting and Detection rule development with Microsoft Sentinel.
Prerequisites
- Azure DevOps – Admin access or Project Collection Administrators.
- Microsoft Sentinel – Microsoft Sentinel Admin access.
- The Entra ID must be connected to Azure DevOps to enable the Auditing feature.
Azure DevOps Side
To enable auditauditinglow the instructions below.
On the Azure DevOps Portal, go to “Organization settings.” Under “Security,” select “Policies.” Then, enable “Log Audit Events.”
Within a few minutes, the Auditauditing be available from the Auditauditingthe same Organization settings page, go to General. Then you should go to Auditauditinge: The auditauditingts to work in minutes and provides many actions, from general actions to DevOps actions.
The logs are categorized into the following areas and categories:
Area Types
| Area | Description |
|---|---|
| Auditing | View and download audit logs. Access, create, modify, enable, disable, and delete audit streams. |
| Billing | Add, change, or remove Azure Subscriptions. Modify billing quantities for Pipelines, Artifacts, and Cloud Load Test usage. |
| Checks | In Azure Pipelines (YAML only), you can create, modify, delete, and track check usage, including approvals on protected resources. |
| Extension | Install, modify, enable, disable, and uninstall extensions for Extensions Marketplace. |
| Git | Create, modify, enable, disable, fork, delete, and undelete Git repositories in Azure Repos. Bypass PR policies. Change branch policies. |
| Group | Create groups and modify group memberships. |
| Library | In Azure Pipelines, you can create, modify, delete, and track the usage of service connections, variable groups, secure files, and agent pools. |
| Licensing | Assign, modify, and remove licensing. Create, modify, and delete group licensing rules. |
| Organization | Create and modify Azure DevOps organization. Link and unlink to Microsoft Entra organizations. |
| OrganizationPolicy | Add, modify, or remove organization policies. |
| Permissions | Modify or remove permissions and access control lists for users and groups throughout an Azure DevOps organization. |
Actions Type
| Category | Description |
|---|---|
| Access | Viewed or opened artifacts in an organization. |
| Create | Newly created artifacts in an organization. |
| Delete | Deleted or removed artifacts from an organization. |
| Execute | Completed processes are done within an organization. |
| Modify | Changed artifacts, such as a state or property change, are made in an organization. |
| Rename | Name changes are made to artifacts in an organization. |
The logs can be filtered by time, and the “Export log” drop-down menu allows you to download them in CSV/JSON format.
GOOD TO KNOW
- Azure DevOps audit logs will be stored for 90 days by default.
- The logs can be streamed to Microsoft Sentinel to extend the retention period.
- Audit streams represent a pipeline that flows audit events from Azure DevOps to Microsoft Sentinel.
- Every half hour, new audit events are streamed to Microsoft Sentinel.
- Any given event belongs to a specific Product Area.
- An event has a Category field that reflects the type of action performed during the event.
- The list of all possible actions is grouped by Product Area.
- Auditing isn’t available for the Azure DevOps Server.
- Project Collection Administrators are the only group with access to the auditing feature, but you can grant permissions to other users.
Microsoft Sentinel Side
Once the Azure DevOps Audition is enabled and working, you should continue using Microsoft Sentinel and integrate Azure DevOps Auditing.
What do you need from the Microsoft Sentinel side? To take the following information and put it in the Azure DevOps.
- Workspace ID
- Primary Key
Then, you should go back to the Azure DevOps portal and put this information in the Stream settings. On the Organization Settings, go to Auditauditingchoose Streams. Then, create a New Stream – in the new stream, put the Workspace iID and the Primary Key and save the settings.
Then, return to the Microsoft Sentinel portal and check for new logs using the system table called AzureDevOpsAuditing.
The KQL Area
So, you want to do some hunting and search for malicious actions or potential for exposure. Let’s play and explore some of the ways to use KQL.
Like in any other situation, it’s good to get familiar with the schema. The AzureDevOpsAuditing Schema has a few names with specific Types. The Azure DevOps and Pipelines actions can define the information in those schemas.
The Area and category are crucial parts of Auditauditingshould summarize them to determine the existing DevOps Auditing posture.
An additional option can be a query that checks who touches the Audit configuration in Azure DevOps Auditing.
What about hunting, investigating, and searching for potential security issues and risks in Azure DevOps? I will share it in the next post.
Resources
More info on the AzureDevOpsAuditing can be found here:
