KQL Search

Query Details

HomeAI ToolsDevice Query

Azure Dev Ops Allow Public Projects

Query

# Azure DevOps - Organization Policy - Allow Public Projects

## Query Information

### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1213.003 | Data from Information Repositories: Code Repositories | https://attack.mitre.org/techniques/T1213/003/ |

### Description

Disable “Allow public projects”: In your organization’s policy settings, disable the option to create public projects. Switch project visibility from public to private as needed. Users who haven’t signed in have read-only access to public projects, while signed-in users can be granted access to private projects and make permitted changes.

Organization’s public repositories – Access to the organization’s public repositories that are configured with CI/CD capabilities. Depending on the organization’s configuration, these repositories may have the ability to trigger a pipeline run after a pull request (PR) is created.

Use the below query to identify when Allow Public Projects is enabled in Azure DevOps

#### References

- [Azure DevOps Project Level Permissions](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#project-level-permissions)
- [Change project visibility to public or private](https://learn.microsoft.com/en-us/azure/devops/organizations/projects/make-project-public?view=azure-devops)
- [DevOps threat matrix](https://www.microsoft.com/en-us/security/blog/2023/04/06/devops-threat-matrix/)

### Microsoft Sentinel

```kql
AzureDevOpsAuditing
| where OperationName == "OrganizationPolicy.PolicyValueUpdated"
| extend PolicyName = tostring(Data.PolicyName)
| extend PolicyValue = tostring(Data.PolicyValue)
| where PolicyValue == "ON"
| where PolicyName == "Policy.AllowAnonymousAccess"
| project TimeGenerated, ActorUPN, IpAddress, PolicyName, PolicyValue, ScopeDisplayName
```

Explanation

This query is designed to monitor Azure DevOps for changes in organization policy settings, specifically focusing on when the option to "Allow Public Projects" is enabled. Here's a simple breakdown of what the query does:

  1. Data Source: It uses the AzureDevOpsAuditing table, which logs various operations and changes within Azure DevOps.

  2. Filter for Specific Operation: The query looks for entries where the operation name is OrganizationPolicy.PolicyValueUpdated, indicating a change in policy settings.

  3. Extract Policy Details: It extracts the policy name and value from the data, converting them to string format for easier handling.

  4. Check for Public Access: The query specifically filters for cases where the policy value is set to "ON" and the policy name is Policy.AllowAnonymousAccess. This indicates that the setting to allow public access to projects has been enabled.

  5. Select Relevant Information: Finally, it selects and displays key information such as the time of the change, the user who made the change (ActorUPN), their IP address, the policy name and value, and the scope of the change.

In summary, this query helps identify when the policy to allow public access to projects in Azure DevOps is turned on, which could be a security concern if not intended.

Details

Alex Verboon profile picture

Alex Verboon

Released: November 18, 2024

Tables

AzureDevOpsAuditing

Keywords

AzureDevOpsOrganizationPolicyProjectsRepositoriesAccessConfigurationPipelineUsers

Operators

|where==extendtostringproject

Actions