Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Azure DevOps Audit Stream Disabled

Back
Id4e8238bd-ff4f-4126-a9f6-09b3b6801b3d
RulenameAzure DevOps Audit Stream Disabled
DescriptionAzure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams

before conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action

its unlikely to have a high false positive rate.
SeverityHigh
TacticsDefenseEvasion
TechniquesT1562.008
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureDevOpsAuditing/Analytic Rules/ADOAuditStreamDisabled.yaml
Version1.0.1
Arm template4e8238bd-ff4f-4126-a9f6-09b3b6801b3d.json
Deploy To Azure
AzureDevOpsAuditing
| where OperationName =~ "AuditLog.StreamDisabledByUser"
| extend StreamType = tostring(Data.ConsumerType)
| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType
| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress
queryFrequency: 1d
triggerOperator: gt
tactics:
- DefenseEvasion
description: |
  'Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams 
  before conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action 
  its unlikely to have a high false positive rate.'  
status: Available
relevantTechniques:
- T1562.008
name: Azure DevOps Audit Stream Disabled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureDevOpsAuditing/Analytic Rules/ADOAuditStreamDisabled.yaml
severity: High
triggerThreshold: 0
version: 1.0.1
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
query: |
  AzureDevOpsAuditing
  | where OperationName =~ "AuditLog.StreamDisabledByUser"
  | extend StreamType = tostring(Data.ConsumerType)
  | project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType
  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress  
id: 4e8238bd-ff4f-4126-a9f6-09b3b6801b3d
requiredDataConnectors: []
kind: Scheduled
queryPeriod: 1d
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4e8238bd-ff4f-4126-a9f6-09b3b6801b3d')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4e8238bd-ff4f-4126-a9f6-09b3b6801b3d')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Azure DevOps Audit Stream Disabled",
        "description": "'Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \nbefore conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \nits unlikely to have a high false positive rate.'\n",
        "severity": "High",
        "enabled": true,
        "query": "AzureDevOpsAuditing\n| where OperationName =~ \"AuditLog.StreamDisabledByUser\"\n| extend StreamType = tostring(Data.ConsumerType)\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562.008"
        ],
        "alertRuleTemplateName": "4e8238bd-ff4f-4126-a9f6-09b3b6801b3d",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureDevOpsAuditing/Analytic Rules/ADOAuditStreamDisabled.yaml",
        "status": "Available",
        "templateVersion": "1.0.1"
      }
    }
  ]
}