Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Azure DevOps Variable Secret Not Secured

Azure DevOps Variable Secret Not Secured

Back
Id4ca74dc0-8352-4ac5-893c-73571cc78331
RulenameAzure DevOps Variable Secret Not Secured
DescriptionCredentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets.

This detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.
SeverityMedium
TacticsCredentialAccess
TechniquesT1552
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureDevOpsAuditing/Analytic Rules/ADOSecretNotSecured.yaml
Version1.0.4
Arm template4ca74dc0-8352-4ac5-893c-73571cc78331.json
Deploy To Azure
let keywords = dynamic(["secret", "secrets", "password", "PAT", "passwd", "pswd", "pwd", "cred", "creds", "credentials", "credential", "key"]);
ADOAuditLogs
| where OperationName =~ "Library.VariableGroupModified"
| extend Type = tostring(Data.Type)
| extend VariableGroupId = tostring(Data.VariableGroupId)
| extend VariableGroupName = tostring(Data.VariableGroupName)
| mv-expand Data.Variables
| where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)
| where Type != "AzureKeyVault"
| where Data_Variables !has "IsSecret"
| extend timestamp = TimeGenerated
| extend AccountName = tostring(split(ActorUPN, "@")[0]), AccountUPNSuffix = tostring(split(ActorUPN, "@")[1])

status: Available
queryPeriod: 1d
triggerOperator: gt
name: Azure DevOps Variable Secret Not Secured
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: ActorUPN
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: IpAddress
  entityType: IP
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureDevOpsAuditing/Analytic Rules/ADOSecretNotSecured.yaml
description: |
  'Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. 
  This detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.'  
version: 1.0.4
severity: Medium
tactics:
- CredentialAccess
relevantTechniques:
- T1552
kind: Scheduled
query: |
  let keywords = dynamic(["secret", "secrets", "password", "PAT", "passwd", "pswd", "pwd", "cred", "creds", "credentials", "credential", "key"]);
  ADOAuditLogs
  | where OperationName =~ "Library.VariableGroupModified"
  | extend Type = tostring(Data.Type)
  | extend VariableGroupId = tostring(Data.VariableGroupId)
  | extend VariableGroupName = tostring(Data.VariableGroupName)
  | mv-expand Data.Variables
  | where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)
  | where Type != "AzureKeyVault"
  | where Data_Variables !has "IsSecret"
  | extend timestamp = TimeGenerated
  | extend AccountName = tostring(split(ActorUPN, "@")[0]), AccountUPNSuffix = tostring(split(ActorUPN, "@")[1])  
id: 4ca74dc0-8352-4ac5-893c-73571cc78331
triggerThreshold: 0
requiredDataConnectors: []
queryFrequency: 1d