KQL Search

Query Details

HomeAI ToolsDevice Query

Azure Dev Ops Additional Protection When Using Public Package Registries

Query

# Azure DevOps - Organization Policy - Additional Protection when using public package registries

## Query Information

### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
|  |  |  |

### Description

Use the below query to identify when Additional Protection when using public package registries is disabled in Azure DevOps

#### References

- [Changes to Azure Artifacts Upstream Behavior](https://devblogs.microsoft.com/devops/changes-to-azure-artifact-upstream-behavior/)

### Microsoft Sentinel

```kql
AzureDevOpsAuditing
| where OperationName == "OrganizationPolicy.PolicyValueUpdated"
| extend PolicyName = tostring(Data.PolicyName)
| extend PolicyValue = tostring(Data.PolicyValue)
| where PolicyValue == "OFF"
| where PolicyName == "Policy.ArtifactsExternalPackageProtectionToken"
| project TimeGenerated, ActorUPN, IpAddress, PolicyName, PolicyValue, ScopeDisplayName
```

Explanation

This query is designed to monitor Azure DevOps for changes in the organization policy related to the protection of public package registries. Specifically, it identifies instances where the additional protection feature, which is intended to safeguard against potential risks when using public package registries, has been turned off.

Here's a breakdown of what the query does:

  1. Data Source: It uses the AzureDevOpsAuditing table, which logs various activities and changes within Azure DevOps.

  2. Filter by Operation: The query looks for audit logs where the operation name is OrganizationPolicy.PolicyValueUpdated. This indicates that a policy value has been updated.

  3. Extract Policy Details: It extracts the PolicyName and PolicyValue from the log data to focus on specific policy changes.

  4. Check Policy Status: It filters the results to find cases where the PolicyValue is set to "OFF". This means the additional protection feature is disabled.

  5. Specific Policy: The query specifically targets the policy named Policy.ArtifactsExternalPackageProtectionToken, which relates to the protection of external package registries.

  6. Output: It projects (selects) relevant information such as the time of the change (TimeGenerated), the user who made the change (ActorUPN), their IP address (IpAddress), the policy name and value, and the scope of the policy change (ScopeDisplayName).

In summary, this query helps identify and track when the additional protection for using public package registries in Azure DevOps is disabled, which could be a potential security concern.

Details

Alex Verboon profile picture

Alex Verboon

Released: November 18, 2024

Tables

AzureDevOpsAuditing

Keywords

AzureDevOpsOrganizationPolicyProtectionPackageRegistriesArtifactsAuditingPolicyActorIpAddressScopeTimeGenerated

Operators

AzureDevOpsAuditingwhereextendtostringproject

Actions