Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. New PA PCA or PCAS added to Azure DevOps

New PA PCA or PCAS added to Azure DevOps

Back
Id35ce9aff-1708-45b8-a295-5e9a307f5f17
RulenameNew PA, PCA, or PCAS added to Azure DevOps
DescriptionIn order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions.

This detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of users granted these permissions should be small. Note that permissions can also be granted via Microsoft Entra ID Protection groups and monitoring of these should also be conducted.
SeverityMedium
TacticsInitialAccess
TechniquesT1078.004
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureDevOpsAuditing/Analytic Rules/NewPAPCAPCASaddedtoADO.yaml
Version1.0.5
Arm template35ce9aff-1708-45b8-a295-5e9a307f5f17.json
Deploy To Azure
AzureDevOpsAuditing
| where OperationName =~ "Group.UpdateGroupMembership.Add"
| where Details has_any ("Project Administrators", "Project Collection Administrators", "Project Collection Service Accounts", "Build Administrator")
| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName
| extend timekey = bin(TimeGenerated, 1h)
| extend ActorUserId = tostring(Data.MemberId)
| project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details
// Get details of operations conducted by user soon after elevation of permissions
| join (AzureDevOpsAuditing
| extend ActorUserId = tostring(Data.MemberId)
| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId
| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent
| extend AccountName = tostring(split(ActorUPN, "@")[0]), AccountUPNSuffix = tostring(split(ActorUPN, "@")[1])
| extend AddingUserAccountName = tostring(split(AddingUser, "@")[0]), AddingUserAccountUPNSuffix = tostring(split(AddingUser, "@")[1])

id: 35ce9aff-1708-45b8-a295-5e9a307f5f17
tactics:
- InitialAccess
queryPeriod: 1d
triggerThreshold: 0
name: New PA, PCA, or PCAS added to Azure DevOps
query: |
  AzureDevOpsAuditing
  | where OperationName =~ "Group.UpdateGroupMembership.Add"
  | where Details has_any ("Project Administrators", "Project Collection Administrators", "Project Collection Service Accounts", "Build Administrator")
  | project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName
  | extend timekey = bin(TimeGenerated, 1h)
  | extend ActorUserId = tostring(Data.MemberId)
  | project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details
  // Get details of operations conducted by user soon after elevation of permissions
  | join (AzureDevOpsAuditing
  | extend ActorUserId = tostring(Data.MemberId)
  | extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId
  | summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent
  | extend AccountName = tostring(split(ActorUPN, "@")[0]), AccountUPNSuffix = tostring(split(ActorUPN, "@")[1])
  | extend AddingUserAccountName = tostring(split(AddingUser, "@")[0]), AddingUserAccountUPNSuffix = tostring(split(AddingUser, "@")[1])  
severity: Medium
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1078.004
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureDevOpsAuditing/Analytic Rules/NewPAPCAPCASaddedtoADO.yaml
queryFrequency: 1d
requiredDataConnectors: []
description: |
  'In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. 
  This detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of users granted these permissions should be small. Note that permissions can also be granted via Microsoft Entra ID Protection groups and monitoring of these should also be conducted.'  
status: Available
version: 1.0.5
entityMappings:
- fieldMappings:
  - columnName: ActorUPN
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: AddingUser
    identifier: FullName
  - columnName: AddingUserAccountName
    identifier: Name
  - columnName: AddingUserAccountUPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: IpAddress
    identifier: Address
  entityType: IP

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/35ce9aff-1708-45b8-a295-5e9a307f5f17')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/35ce9aff-1708-45b8-a295-5e9a307f5f17')]",
      "properties": {
        "alertRuleTemplateName": "35ce9aff-1708-45b8-a295-5e9a307f5f17",
        "customDetails": null,
        "description": "'In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. \nThis detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of users granted these permissions should be small. Note that permissions can also be granted via Microsoft Entra ID Protection groups and monitoring of these should also be conducted.'\n",
        "displayName": "New PA, PCA, or PCAS added to Azure DevOps",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "ActorUPN",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountUPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AddingUser",
                "identifier": "FullName"
              },
              {
                "columnName": "AddingUserAccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AddingUserAccountUPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IpAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureDevOpsAuditing/Analytic Rules/NewPAPCAPCASaddedtoADO.yaml",
        "query": "AzureDevOpsAuditing\n| where OperationName =~ \"Group.UpdateGroupMembership.Add\"\n| where Details has_any (\"Project Administrators\", \"Project Collection Administrators\", \"Project Collection Service Accounts\", \"Build Administrator\")\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName\n| extend timekey = bin(TimeGenerated, 1h)\n| extend ActorUserId = tostring(Data.MemberId)\n| project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details\n// Get details of operations conducted by user soon after elevation of permissions\n| join (AzureDevOpsAuditing\n| extend ActorUserId = tostring(Data.MemberId)\n| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId\n| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent\n| extend AccountName = tostring(split(ActorUPN, \"@\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \"@\")[1])\n| extend AddingUserAccountName = tostring(split(AddingUser, \"@\")[0]), AddingUserAccountUPNSuffix = tostring(split(AddingUser, \"@\")[1])\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [
          "T1078.004"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.5",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}