Azure DevOps Pull Request Policy Bypassing - Historic allow list

Back


Id	4d8de9e6-263e-4845-8618-cd23a4f58b70
Rulename	Azure DevOps Pull Request Policy Bypassing - Historic allow list
Description	This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list.
Severity	Medium
Tactics	Persistence
Techniques	T1098
Kind	Scheduled
Query frequency	3h
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureDevOpsAuditing/Analytic Rules/AzDOHistoricPrPolicyBypassing.yaml
Version	1.0.5
Arm template	4d8de9e6-263e-4845-8618-cd23a4f58b70.json

KQL

let starttime = 14d;
let endtime = 3h;
// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users
let AuthorizedBypassers = dynamic(['foo@baz.com', 'test@foo.com']);
let historicBypassers = AzureDevOpsAuditing
| where TimeGenerated between (ago(starttime) .. ago(endtime))
| where OperationName == 'Git.RefUpdatePoliciesBypassed'
| distinct ActorUPN;
AzureDevOpsAuditing
| where TimeGenerated >= ago(endtime)
| where OperationName == 'Git.RefUpdatePoliciesBypassed'
| where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)
| parse ScopeDisplayName with OrganizationName '(Organization)'
| project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name,
  BypassReason = Data.BypassReason, PRLink = strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_git/', Data.RepoName, '/pullrequest/', Data.PullRequestId)
| extend timestamp = TimeGenerated
| extend AccountName = tostring(split(ActorUPN, "@")[0]), AccountUPNSuffix = tostring(split(ActorUPN, "@")[1])

YAML

id: 4d8de9e6-263e-4845-8618-cd23a4f58b70
tactics:
- Persistence
queryPeriod: 14d
triggerThreshold: 0
name: Azure DevOps Pull Request Policy Bypassing - Historic allow list
query: |
  let starttime = 14d;
  let endtime = 3h;
  // Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users
  let AuthorizedBypassers = dynamic(['foo@baz.com', 'test@foo.com']);
  let historicBypassers = AzureDevOpsAuditing
  | where TimeGenerated between (ago(starttime) .. ago(endtime))
  | where OperationName == 'Git.RefUpdatePoliciesBypassed'
  | distinct ActorUPN;
  AzureDevOpsAuditing
  | where TimeGenerated >= ago(endtime)
  | where OperationName == 'Git.RefUpdatePoliciesBypassed'
  | where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)
  | parse ScopeDisplayName with OrganizationName '(Organization)'
  | project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name,
    BypassReason = Data.BypassReason, PRLink = strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_git/', Data.RepoName, '/pullrequest/', Data.PullRequestId)
  | extend timestamp = TimeGenerated
  | extend AccountName = tostring(split(ActorUPN, "@")[0]), AccountUPNSuffix = tostring(split(ActorUPN, "@")[1])  
severity: Medium
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1098
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureDevOpsAuditing/Analytic Rules/AzDOHistoricPrPolicyBypassing.yaml
queryFrequency: 3h
requiredDataConnectors: []
description: |
    'This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list.'
status: Available
version: 1.0.5
entityMappings:
- fieldMappings:
  - columnName: ActorUPN
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: IpAddress
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: PRLink
    identifier: Url
  entityType: URL

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4d8de9e6-263e-4845-8618-cd23a4f58b70')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4d8de9e6-263e-4845-8618-cd23a4f58b70')]",
      "properties": {
        "alertRuleTemplateName": "4d8de9e6-263e-4845-8618-cd23a4f58b70",
        "customDetails": null,
        "description": "'This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list.'\n",
        "displayName": "Azure DevOps Pull Request Policy Bypassing - Historic allow list",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "ActorUPN",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountUPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IpAddress",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "PRLink",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureDevOpsAuditing/Analytic Rules/AzDOHistoricPrPolicyBypassing.yaml",
        "query": "let starttime = 14d;\nlet endtime = 3h;\n// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users\nlet AuthorizedBypassers = dynamic(['foo@baz.com', 'test@foo.com']);\nlet historicBypassers = AzureDevOpsAuditing\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\n| where OperationName == 'Git.RefUpdatePoliciesBypassed'\n| distinct ActorUPN;\nAzureDevOpsAuditing\n| where TimeGenerated >= ago(endtime)\n| where OperationName == 'Git.RefUpdatePoliciesBypassed'\n| where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\n| parse ScopeDisplayName with OrganizationName '(Organization)'\n| project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name,\n  BypassReason = Data.BypassReason, PRLink = strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_git/', Data.RepoName, '/pullrequest/', Data.PullRequestId)\n| extend timestamp = TimeGenerated\n| extend AccountName = tostring(split(ActorUPN, \"@\")[0]), AccountUPNSuffix = tostring(split(ActorUPN, \"@\")[1])\n",
        "queryFrequency": "PT3H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1098"
        ],
        "templateVersion": "1.0.5",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}