Query Details

Azure Dev Ops Critical Search Queries

Query

// Detect suspicious code search queries (possible secret hunting)
ADOAuditLogs_CL
| where TimeGenerated > ago(7d)
| where ActionId == "Search.Code"
| extend d=parse_json(Data)
| extend SearchQuery=tostring(d.SearchQuery)
| where SearchQuery matches regex @"(?i)(password|passwd|secret|token|apikey|api_key|connectionstring|connstring|credential|private key|BEGIN RSA PRIVATE KEY)"

About this query

Azure DevOps Critical Search Queries

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1552.004Private keyshttps://attack.mitre.org/techniques/T1552/004/

Description

This Query detects suspicious code search queries within Azure DevOps audit logs that may indicate an adversary is attempting to find sensitive information such as passwords, API keys, tokens, or private keys. It specifically looks for keywords like 'password', 'secret', 'token', 'apikey', 'api_key', 'connectionstring', 'connstring', 'credential', 'private key', and 'BEGIN RSA PRIVATE KEY' in code search queries.

Author <Optional>

References

Defender XDR

Explanation

This query is designed to identify potentially suspicious search activities within Azure DevOps audit logs. It focuses on detecting attempts to find sensitive information, such as passwords, API keys, or private keys, by analyzing code search queries. The query looks for specific keywords that are commonly associated with sensitive data, such as 'password', 'secret', 'token', 'apikey', and 'private key'. It examines logs from the past seven days where the action was a code search, and it uses a regular expression to match these keywords in the search queries. This helps in identifying possible secret hunting activities by adversaries.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: February 26, 2026

Tables

ADOAuditLogs_CL

Keywords

AzureDevOpsAuditLogsCodeSearchQueriesSensitiveInformationPasswordsAPIKeysTokensPrivate

Operators

//|where>ago()==extendparse_json()tostring()matches regex

MITRE Techniques

Actions

GitHub