Azure DevOps Retention Reduced
Id | 71d374e0-1cf8-4e50-aecd-ab6c519795c2 |
Rulename | Azure DevOps Retention Reduced |
Description | AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs. This query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half. |
Severity | Low |
Tactics | DefenseEvasion |
Techniques | T1564 |
Kind | Scheduled |
Query frequency | 1d |
Query period | 1d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureDevOpsAuditing/Analytic Rules/ADORetentionReduced.yaml |
Version | 1.0.2 |
Arm template | 71d374e0-1cf8-4e50-aecd-ab6c519795c2.json |
AzureDevOpsAuditing
| where OperationName =~ "Pipelines.PipelineRetentionSettingChanged"
| where Data.SettingName in ("PurgeArtifacts", "PurgeRuns")
| where Data.NewValue == 1 or Data.NewValue < Data.OldValue/2
| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data
| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress
queryFrequency: 1d
triggerOperator: gt
tactics:
- DefenseEvasion
description: |
'AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs.
This query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half.'
status: Available
relevantTechniques:
- T1564
name: Azure DevOps Retention Reduced
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureDevOpsAuditing/Analytic Rules/ADORetentionReduced.yaml
severity: Low
triggerThreshold: 0
version: 1.0.2
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
query: |
AzureDevOpsAuditing
| where OperationName =~ "Pipelines.PipelineRetentionSettingChanged"
| where Data.SettingName in ("PurgeArtifacts", "PurgeRuns")
| where Data.NewValue == 1 or Data.NewValue < Data.OldValue/2
| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data
| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress
id: 71d374e0-1cf8-4e50-aecd-ab6c519795c2
requiredDataConnectors: []
kind: Scheduled
queryPeriod: 1d
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/71d374e0-1cf8-4e50-aecd-ab6c519795c2')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/71d374e0-1cf8-4e50-aecd-ab6c519795c2')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Azure DevOps Retention Reduced",
"description": "'AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs.\nThis query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half.'\n",
"severity": "Low",
"enabled": true,
"query": "AzureDevOpsAuditing\n| where OperationName =~ \"Pipelines.PipelineRetentionSettingChanged\"\n| where Data.SettingName in (\"PurgeArtifacts\", \"PurgeRuns\")\n| where Data.NewValue == 1 or Data.NewValue < Data.OldValue/2\n| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion"
],
"techniques": [
"T1564"
],
"alertRuleTemplateName": "71d374e0-1cf8-4e50-aecd-ab6c519795c2",
"customDetails": null,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureDevOpsAuditing/Analytic Rules/ADORetentionReduced.yaml",
"status": "Available",
"templateVersion": "1.0.2"
}
}
]
}