Azure DevOps - Organization Policy - SSH Authentication
Azure Dev Ops SSH Authentication
Query
AzureDevOpsAuditing
| where OperationName == "OrganizationPolicy.PolicyValueUpdated"
| extend PolicyName = tostring(Data.PolicyName)
| extend PolicyValue = tostring(Data.PolicyValue)
| where PolicyName == "Policy.DisallowSecureShell"
| where PolicyValue == "ON"
| project TimeGenerated, ActorUPN, IpAddress, PolicyName, PolicyValue, ScopeDisplayNameAbout this query
Azure DevOps - Organization Policy - SSH Authentication
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1133 | Initial Access: Brute Force: External Remote Services | https://attack.mitre.org/techniques/T1133/ |
Description
The Azure DevOps SSH Authentication setting allows you to enable applications to connect to your organization's Git repos through SSH.
Use the below query to identify when SSH Authentication is enabled in Azure DevOps
References
- Azure DevOps - Use SSH key authentication
- DevOps threat matrix
- Change application connection & security policies for your organization
Microsoft Sentinel
Explanation
This KQL query is designed to monitor Azure DevOps for changes in the SSH Authentication policy. Specifically, it identifies when the policy that disallows SSH (Secure Shell) connections is turned on. Here's a simple breakdown of what the query does:
-
Data Source: It uses the
AzureDevOpsAuditingtable, which logs various operations and changes within Azure DevOps. -
Filter Operations: The query looks for entries where the operation name is "OrganizationPolicy.PolicyValueUpdated". This indicates that a policy value has been updated.
-
Extract Policy Details: It extracts the policy name and value from the data, specifically focusing on the policy named "Policy.DisallowSecureShell".
-
Check Policy Status: It filters for instances where the policy value is "ON", meaning the policy to disallow SSH connections has been enabled.
-
Output Information: The query outputs the time of the change, the user who made the change (ActorUPN), their IP address, the policy name, the policy value, and the scope of the policy change.
In essence, this query helps administrators track when SSH access is being restricted in Azure DevOps, which is crucial for maintaining security and compliance within the organization.
