Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Azure DevOps New Extension Added

Azure DevOps New Extension Added

Back
Idbf07ca9c-e408-443a-8939-6860a45a929e
RulenameAzure DevOps New Extension Added
DescriptionExtensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity.

This query looks for new extensions that are not from a configurable list of approved publishers.
SeverityLow
TacticsPersistence
TechniquesT1505
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureDevOpsAuditing/Analytic Rules/ADONewExtensionAdded.yaml
Version1.0.4
Arm templatebf07ca9c-e408-443a-8939-6860a45a929e.json
Deploy To Azure
let allowed_publishers = dynamic([]);
ADOAuditLogs
| where OperationName =~ "Extension.Installed"
| extend ExtensionName = tostring(Data.ExtensionName)
| extend PublisherName = tostring(Data.PublisherName)
| where PublisherName !in (allowed_publishers)
| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data
| extend timestamp = TimeGenerated
| extend AccountName = tostring(split(ActorUPN, "@")[0]), AccountUPNSuffix = tostring(split(ActorUPN, "@")[1])

description: |
  'Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. 
  This query looks for new extensions that are not from a configurable list of approved publishers.'  
kind: Scheduled
tactics:
- Persistence
requiredDataConnectors: []
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureDevOpsAuditing/Analytic Rules/ADONewExtensionAdded.yaml
severity: Low
name: Azure DevOps New Extension Added
triggerThreshold: 0
queryPeriod: 1d
query: |
  let allowed_publishers = dynamic([]);
  ADOAuditLogs
  | where OperationName =~ "Extension.Installed"
  | extend ExtensionName = tostring(Data.ExtensionName)
  | extend PublisherName = tostring(Data.PublisherName)
  | where PublisherName !in (allowed_publishers)
  | project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data
  | extend timestamp = TimeGenerated
  | extend AccountName = tostring(split(ActorUPN, "@")[0]), AccountUPNSuffix = tostring(split(ActorUPN, "@")[1])  
relevantTechniques:
- T1505
id: bf07ca9c-e408-443a-8939-6860a45a929e
queryFrequency: 1d
status: Available
triggerOperator: gt
version: 1.0.4
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: ActorUPN
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
- entityType: IP
  fieldMappings:
  - columnName: IpAddress
    identifier: Address