KQL Search

Query Details

HomeAI ToolsDevice Query

Azure Dev Ops External Guest Access

Query

# Azure DevOps - Organization Policy - External Guest Access

## Query Information

### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1098 | Account Manipulation | https://attack.mitre.org/techniques/T1098/|
| T1562 | Impair Defenses | https://attack.mitre.org/techniques/T1562/ |

### Description

Block external guest access: Disable the "Allow invitations to be sent to any domain" policy to prevent external guest access if there's no business need for it.

Use the below query to identify when External Guest Access is enabled in Azure DevOps

#### References

- [External Guest access](https://learn.microsoft.com/en-us/azure/devops/organizations/security/security-best-practices?view=azure-devops#external-guest-access)
- [Add external users to your organization](https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/add-external-user?view=azure-devops)
- [DevOps threat matrix](https://www.microsoft.com/en-us/security/blog/2023/04/06/devops-threat-matrix/)

### Microsoft Sentinel

```kql
AzureDevOpsAuditing
| where OperationName == "OrganizationPolicy.PolicyValueUpdated"
| extend PolicyName = tostring(Data.PolicyName)
| extend PolicyValue = tostring(Data.PolicyValue)
| where PolicyValue == "OFF"
| where PolicyName == "Policy.DisallowAadGuestUserAccess"
| project TimeGenerated, ActorUPN, IpAddress, PolicyName, PolicyValue, ScopeDisplayName
```

Explanation

This query is designed to monitor Azure DevOps for changes related to external guest access policies. Specifically, it looks for instances where the policy that disallows Azure Active Directory (AAD) guest user access is turned off. Here's a simplified breakdown of what the query does:

  1. Data Source: It uses data from AzureDevOpsAuditing, which logs various operations within Azure DevOps.

  2. Operation Filter: It filters for operations where the policy value has been updated (OrganizationPolicy.PolicyValueUpdated).

  3. Policy Identification: It identifies the specific policy by checking if the policy name is Policy.DisallowAadGuestUserAccess.

  4. Policy Status: It checks if the policy value is set to "OFF", indicating that the restriction on guest user access has been disabled.

  5. Output: The query projects (or displays) the following details for each relevant event:

    • TimeGenerated: When the policy change occurred.
    • ActorUPN: The user principal name of the actor who made the change.
    • IpAddress: The IP address from which the change was made.
    • PolicyName: The name of the policy.
    • PolicyValue: The value of the policy (in this case, "OFF").
    • ScopeDisplayName: The scope or context in which the policy change was made.

In essence, this query helps identify potential security risks by flagging when external guest access is enabled in Azure DevOps, which could be a concern if there's no business justification for allowing such access.

Details

Alex Verboon profile picture

Alex Verboon

Released: November 18, 2024

Tables

AzureDevOpsAuditing

Keywords

AzureDevOpsOrganizationPolicyExternalGuestAccess

Operators

AzureDevOpsAuditingwhereextendtostringproject

Actions