Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Azure DevOps Variable Secret Not Secured

Azure DevOps Variable Secret Not Secured

Back
Id4ca74dc0-8352-4ac5-893c-73571cc78331
RulenameAzure DevOps Variable Secret Not Secured
DescriptionCredentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets.

This detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.
SeverityMedium
TacticsCredentialAccess
TechniquesT1552
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureDevOpsAuditing/Analytic Rules/ADOSecretNotSecured.yaml
Version1.0.4
Arm template4ca74dc0-8352-4ac5-893c-73571cc78331.json
Deploy To Azure
let keywords = dynamic(["secret", "secrets", "password", "PAT", "passwd", "pswd", "pwd", "cred", "creds", "credentials", "credential", "key"]);
ADOAuditLogs
| where OperationName =~ "Library.VariableGroupModified"
| extend Type = tostring(Data.Type)
| extend VariableGroupId = tostring(Data.VariableGroupId)
| extend VariableGroupName = tostring(Data.VariableGroupName)
| mv-expand Data.Variables
| where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)
| where Type != "AzureKeyVault"
| where Data_Variables !has "IsSecret"
| extend timestamp = TimeGenerated
| extend AccountName = tostring(split(ActorUPN, "@")[0]), AccountUPNSuffix = tostring(split(ActorUPN, "@")[1])

description: |
  'Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. 
  This detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.'  
kind: Scheduled
tactics:
- CredentialAccess
requiredDataConnectors: []
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureDevOpsAuditing/Analytic Rules/ADOSecretNotSecured.yaml
severity: Medium
name: Azure DevOps Variable Secret Not Secured
triggerThreshold: 0
queryPeriod: 1d
query: |
  let keywords = dynamic(["secret", "secrets", "password", "PAT", "passwd", "pswd", "pwd", "cred", "creds", "credentials", "credential", "key"]);
  ADOAuditLogs
  | where OperationName =~ "Library.VariableGroupModified"
  | extend Type = tostring(Data.Type)
  | extend VariableGroupId = tostring(Data.VariableGroupId)
  | extend VariableGroupName = tostring(Data.VariableGroupName)
  | mv-expand Data.Variables
  | where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)
  | where Type != "AzureKeyVault"
  | where Data_Variables !has "IsSecret"
  | extend timestamp = TimeGenerated
  | extend AccountName = tostring(split(ActorUPN, "@")[0]), AccountUPNSuffix = tostring(split(ActorUPN, "@")[1])  
relevantTechniques:
- T1552
id: 4ca74dc0-8352-4ac5-893c-73571cc78331
queryFrequency: 1d
status: Available
triggerOperator: gt
version: 1.0.4
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: ActorUPN
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
- entityType: IP
  fieldMappings:
  - columnName: IpAddress
    identifier: Address