KQL Search

Query Details

HomeAI ToolsDevice Query

Azure Dev Ops Log Audit Events

Query

# Azure DevOps - Organization Policy - Log Audit Events

## Query Information

### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1562.008 | Defense Evasion: Impair Defenses: Disable or Modify Cloud Logs | https://attack.mitre.org/techniques/T1562/008/ |

### Description

Keeping track of activities within your Azure DevOps environment is crucial for security and compliance. Auditing helps you monitor and log these activities, providing transparency and accountability

Use the below query to identify when Log Audit Events is disabled in Azure DevOps

#### References

- [Access, export, and filter audit logs](https://learn.microsoft.com/en-us/azure/devops/organizations/audit/azure-devops-auditing?view=azure-devops&tabs=preview-page)
- [DevOps threat matrix](https://www.microsoft.com/en-us/security/blog/2023/04/06/devops-threat-matrix/)

### Microsoft Sentinel

```kql
AzureDevOpsAuditing
| where OperationName == "OrganizationPolicy.PolicyValueUpdated"
| extend PolicyName = tostring(Data.PolicyName)
| extend PolicyValue = tostring(Data.PolicyValue)
| where PolicyValue == "OFF"
| where PolicyName == "Policy.LogAuditEvents"
| project TimeGenerated, ActorUPN, IpAddress, PolicyName, PolicyValue, ScopeDisplayName
```

Explanation

This query is designed to monitor Azure DevOps for security and compliance purposes by identifying instances where logging of audit events has been disabled. It specifically looks for changes in the organization policy related to audit logging.

Here's a simple breakdown of what the query does:

  1. Data Source: It uses the AzureDevOpsAuditing table, which contains audit logs for Azure DevOps activities.

  2. Filter by Operation: The query filters the logs to find entries where the operation name is "OrganizationPolicy.PolicyValueUpdated". This indicates a change in an organization policy.

  3. Extract Policy Details: It extracts the policy name and value from the log data to focus on specific policy changes.

  4. Check for Disabled Logging: The query further filters the results to find cases where the policy value is set to "OFF" for the policy named "Policy.LogAuditEvents". This means that audit logging has been turned off.

  5. Select Relevant Information: Finally, it selects and displays key information such as the time the change was made, the user who made the change (ActorUPN), their IP address, the policy name, the policy value, and the scope of the change.

This query helps in identifying potential security risks by alerting when audit logging is disabled, which could be an attempt to evade detection of unauthorized activities.

Details

Alex Verboon profile picture

Alex Verboon

Released: November 18, 2024

Tables

AzureDevOpsAuditing

Keywords

AzureDevOpsAuditingOrganizationPolicyLogAuditEvents

Operators

|where==extendtostring()project

Actions