Back Id acfdee3f-b794-404a-aeba-ef6a1fa08ad1 Rulename Azure DevOps Agent Pool Created Then Deleted Description As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.
Azure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this detection focuses on the creation of new self-hosted pools.
Back Id 3b9a44d7-c651-45ed-816c-eae583a6f2f1 Rulename Azure DevOps Build Variable Modified by New User Description Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify or add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build.
As variables are often changed by users, just detecting these changes would have a high false positive rate.
Back Id 155e9134-d5ad-4a6f-88f3-99c220040b66 Rulename Azure DevOps Pipeline modified by a new user Description There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. This detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before.
Back Id 9736e5f1-7b6e-4bfb-a708-e53ff1d182c3 Rulename Creation of expensive computes in Azure Description Identifies the creation of large size or expensive VMs (with GPUs or with a large number of virtual CPUs) in Azure.
An adversary may create new or update existing virtual machines to evade defenses or use them for cryptomining purposes.
For Windows/Linux Vm Sizes, see https://docs.microsoft.com/azure/virtual-machines/windows/sizes Azure VM Naming Conventions, see https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions Severity Low Tactics DefenseEvasion Techniques T1578 Required data connectors AzureActivity Kind Scheduled Query frequency 1d Query period 1d Trigger threshold 1 Trigger operator gt Source Uri https://github.
Back Id 1d2c3da7-60ec-40be-9c14-bade6eaf3c49 Rulename Data Alert Description This query identifies clients or servers whose data has been compromised. Severity Medium Tactics DefenseEvasion
Impact Techniques T1578
T1531 Required data connectors CommvaultSecurityIQ_CL Kind Scheduled Query frequency 5m Query period 5m Trigger threshold 0 Trigger operator gt Source Uri https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/Data_Alert.yaml Version 1.0.1 Arm template 1d2c3da7-60ec-40be-9c14-bade6eaf3c49.json
KQL SecurityIncident | where Title has "Cvlt Alert" and Description has "Client" and Description has "Compromised" and Status has "New" | extend extracted_word = extract("Client\\s(.
Back Id c982bcc1-ef73-485b-80d5-2a637ce4ab2b Rulename IDP Alert Description This query identifies indications of a potential security breach or unauthorized access to the systems and data of the Identity Provider. Severity Medium Tactics DefenseEvasion
Impact Techniques T1578
T1531 Required data connectors CommvaultSecurityIQ_CL Kind Scheduled Query frequency 5m Query period 5m Trigger threshold 0 Trigger operator gt Source Uri https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/IDP_Alert.yaml Version 1.0.1 Arm template c982bcc1-ef73-485b-80d5-2a637ce4ab2b.json
KQL SecurityIncident | where Title has "Cvlt Alert" and Description == "IDP Compromised" and Status has "New" YAML triggerOperator: gt description: | 'This query identifies indications of a potential security breach or unauthorized access to the systems and data of the Identity Provider.
Back Id 88f453ff-7b9e-45bb-8c12-4058ca5e44ee Rulename Microsoft Entra ID Hybrid Health AD FS New Server Description This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Microsoft Entra ID Hybrid Health AD FS service.
A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-premises AD FS server.
Back Id 86a036b2-3686-42eb-b417-909fc0867771 Rulename Microsoft Entra ID Hybrid Health AD FS Service Delete Description This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Microsoft Entra ID Hybrid Health AD FS service instance in a tenant.
A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.
The health AD FS service can then be deleted after it is no longer needed via HTTP requests to Azure.
Back Id 56fe0db0-6779-46fa-b3c5-006082a53064 Rulename NRT Creation of expensive computes in Azure Description Identifies the creation of large size or expensive VMs (with GPUs or with a large number of virtual CPUs) in Azure.
An adversary may create new or update existing virtual machines to evade defenses or use them for cryptomining purposes.
For Windows/Linux Vm Sizes, see https://docs.microsoft.com/azure/virtual-machines/windows/sizes Azure VM Naming Conventions, see https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions Severity Medium Tactics DefenseEvasion Techniques T1578 Required data connectors AzureActivity Kind NRT Source Uri https://github.
