Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Azure DevOps New Extension Added

Azure DevOps New Extension Added

Back
Idbf07ca9c-e408-443a-8939-6860a45a929e
RulenameAzure DevOps New Extension Added
DescriptionExtensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity.

This query looks for new extensions that are not from a configurable list of approved publishers.
SeverityLow
TacticsPersistence
TechniquesT1505
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureDevOpsAuditing/Analytic Rules/ADONewExtensionAdded.yaml
Version1.0.4
Arm templatebf07ca9c-e408-443a-8939-6860a45a929e.json
Deploy To Azure
let allowed_publishers = dynamic([]);
ADOAuditLogs
| where OperationName =~ "Extension.Installed"
| extend ExtensionName = tostring(Data.ExtensionName)
| extend PublisherName = tostring(Data.PublisherName)
| where PublisherName !in (allowed_publishers)
| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data
| extend timestamp = TimeGenerated
| extend AccountName = tostring(split(ActorUPN, "@")[0]), AccountUPNSuffix = tostring(split(ActorUPN, "@")[1])

relevantTechniques:
- T1505
entityMappings:
- fieldMappings:
  - columnName: ActorUPN
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: IpAddress
    identifier: Address
  entityType: IP
triggerThreshold: 0
description: |
  'Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. 
  This query looks for new extensions that are not from a configurable list of approved publishers.'  
requiredDataConnectors: []
triggerOperator: gt
version: 1.0.4
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureDevOpsAuditing/Analytic Rules/ADONewExtensionAdded.yaml
id: bf07ca9c-e408-443a-8939-6860a45a929e
queryFrequency: 1d
query: |
  let allowed_publishers = dynamic([]);
  ADOAuditLogs
  | where OperationName =~ "Extension.Installed"
  | extend ExtensionName = tostring(Data.ExtensionName)
  | extend PublisherName = tostring(Data.PublisherName)
  | where PublisherName !in (allowed_publishers)
  | project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data
  | extend timestamp = TimeGenerated
  | extend AccountName = tostring(split(ActorUPN, "@")[0]), AccountUPNSuffix = tostring(split(ActorUPN, "@")[1])  
severity: Low
status: Available
queryPeriod: 1d
name: Azure DevOps New Extension Added
tactics:
- Persistence
kind: Scheduled