Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Azure DevOps Build Variable Modified by New User

Back
Id3b9a44d7-c651-45ed-816c-eae583a6f2f1
RulenameAzure DevOps Build Variable Modified by New User
DescriptionVariables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify or add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build.

As variables are often changed by users, just detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed modifying them before.
SeverityMedium
TacticsDefenseEvasion
TechniquesT1578
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureDevOpsAuditing/Analytic Rules/ADOVariableModifiedByNewUser.yaml
Version1.0.5
Arm template3b9a44d7-c651-45ed-816c-eae583a6f2f1.json
Deploy To Azure
let lookback = 14d;
let timeframe = 1d;
let historical_data =
AzureDevOpsAuditing
| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)
| where OperationName =~ "Library.VariableGroupModified"
| extend variables = Data.Variables
| extend VariableGroupId = tostring(Data.VariableGroupId)
| extend UserKey = strcat(VariableGroupId, "-", ActorUserId)
| project UserKey;
AzureDevOpsAuditing
| where TimeGenerated > ago(timeframe)
| where OperationName =~ "Library.VariableGroupModified"
| extend VariableGroupName = tostring(Data.VariableGroupName)
| extend VariableGroupId = tostring(Data.VariableGroupId)
| extend UserKey = strcat(VariableGroupId, "-", ActorUserId)
| where UserKey !in (historical_data)
| project-away UserKey
| project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent
| extend timestamp = TimeGenerated
| extend AccountName = tostring(split(ActorUPN, "@")[0]), AccountUPNSuffix = tostring(split(ActorUPN, "@")[1])
id: 3b9a44d7-c651-45ed-816c-eae583a6f2f1
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureDevOpsAuditing/Analytic Rules/ADOVariableModifiedByNewUser.yaml
requiredDataConnectors: []
description: |
  'Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify or add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build.
  As variables are often changed by users, just detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed modifying them before.'  
severity: Medium
queryPeriod: 14d
kind: Scheduled
tactics:
- DefenseEvasion
queryFrequency: 1d
query: |
  let lookback = 14d;
  let timeframe = 1d;
  let historical_data =
  AzureDevOpsAuditing
  | where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)
  | where OperationName =~ "Library.VariableGroupModified"
  | extend variables = Data.Variables
  | extend VariableGroupId = tostring(Data.VariableGroupId)
  | extend UserKey = strcat(VariableGroupId, "-", ActorUserId)
  | project UserKey;
  AzureDevOpsAuditing
  | where TimeGenerated > ago(timeframe)
  | where OperationName =~ "Library.VariableGroupModified"
  | extend VariableGroupName = tostring(Data.VariableGroupName)
  | extend VariableGroupId = tostring(Data.VariableGroupId)
  | extend UserKey = strcat(VariableGroupId, "-", ActorUserId)
  | where UserKey !in (historical_data)
  | project-away UserKey
  | project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent
  | extend timestamp = TimeGenerated
  | extend AccountName = tostring(split(ActorUPN, "@")[0]), AccountUPNSuffix = tostring(split(ActorUPN, "@")[1])  
version: 1.0.5
triggerThreshold: 0
name: Azure DevOps Build Variable Modified by New User
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: ActorUPN
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
- entityType: IP
  fieldMappings:
  - columnName: IpAddress
    identifier: Address
status: Available
relevantTechniques:
- T1578
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3b9a44d7-c651-45ed-816c-eae583a6f2f1')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3b9a44d7-c651-45ed-816c-eae583a6f2f1')]",
      "properties": {
        "alertRuleTemplateName": "3b9a44d7-c651-45ed-816c-eae583a6f2f1",
        "customDetails": null,
        "description": "'Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify or add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build.\nAs variables are often changed by users, just detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed modifying them before.'\n",
        "displayName": "Azure DevOps Build Variable Modified by New User",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "ActorUPN",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountUPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IpAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureDevOpsAuditing/Analytic Rules/ADOVariableModifiedByNewUser.yaml",
        "query": "let lookback = 14d;\nlet timeframe = 1d;\nlet historical_data =\nAzureDevOpsAuditing\n| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\n| where OperationName =~ \"Library.VariableGroupModified\"\n| extend variables = Data.Variables\n| extend VariableGroupId = tostring(Data.VariableGroupId)\n| extend UserKey = strcat(VariableGroupId, \"-\", ActorUserId)\n| project UserKey;\nAzureDevOpsAuditing\n| where TimeGenerated > ago(timeframe)\n| where OperationName =~ \"Library.VariableGroupModified\"\n| extend VariableGroupName = tostring(Data.VariableGroupName)\n| extend VariableGroupId = tostring(Data.VariableGroupId)\n| extend UserKey = strcat(VariableGroupId, \"-\", ActorUserId)\n| where UserKey !in (historical_data)\n| project-away UserKey\n| project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent\n| extend timestamp = TimeGenerated\n| extend AccountName = tostring(split(ActorUPN, \"@\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \"@\")[1])\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1578"
        ],
        "templateVersion": "1.0.5",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}