Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Azure DevOps New Extension Added

Azure DevOps New Extension Added

Back
Idbf07ca9c-e408-443a-8939-6860a45a929e
RulenameAzure DevOps New Extension Added
DescriptionExtensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity.

This query looks for new extensions that are not from a configurable list of approved publishers.
SeverityLow
TacticsPersistence
TechniquesT1505
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureDevOpsAuditing/Analytic Rules/ADONewExtensionAdded.yaml
Version1.0.4
Arm templatebf07ca9c-e408-443a-8939-6860a45a929e.json
Deploy To Azure
let allowed_publishers = dynamic([]);
ADOAuditLogs
| where OperationName =~ "Extension.Installed"
| extend ExtensionName = tostring(Data.ExtensionName)
| extend PublisherName = tostring(Data.PublisherName)
| where PublisherName !in (allowed_publishers)
| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data
| extend timestamp = TimeGenerated
| extend AccountName = tostring(split(ActorUPN, "@")[0]), AccountUPNSuffix = tostring(split(ActorUPN, "@")[1])

relevantTechniques:
- T1505
queryFrequency: 1d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureDevOpsAuditing/Analytic Rules/ADONewExtensionAdded.yaml
version: 1.0.4
kind: Scheduled
queryPeriod: 1d
severity: Low
status: Available
requiredDataConnectors: []
tactics:
- Persistence
triggerOperator: gt
triggerThreshold: 0
description: |
  'Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. 
  This query looks for new extensions that are not from a configurable list of approved publishers.'  
query: |
  let allowed_publishers = dynamic([]);
  ADOAuditLogs
  | where OperationName =~ "Extension.Installed"
  | extend ExtensionName = tostring(Data.ExtensionName)
  | extend PublisherName = tostring(Data.PublisherName)
  | where PublisherName !in (allowed_publishers)
  | project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data
  | extend timestamp = TimeGenerated
  | extend AccountName = tostring(split(ActorUPN, "@")[0]), AccountUPNSuffix = tostring(split(ActorUPN, "@")[1])  
entityMappings:
- fieldMappings:
  - columnName: ActorUPN
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: IpAddress
    identifier: Address
  entityType: IP
name: Azure DevOps New Extension Added
id: bf07ca9c-e408-443a-8939-6860a45a929e