KQL Search

Query Details

HomeAI ToolsDevice Query

Azure Dev Ops SSH Authentication

Query

# Azure DevOps - Organization Policy - SSH Authentication

## Query Information

### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1133 | Initial Access: Brute Force: External Remote Services | https://attack.mitre.org/techniques/T1133/ |

### Description

The Azure DevOps SSH Authentication setting allows you to enable applications to connect to your organization's Git repos through SSH.

Use the below query to identify when SSH Authentication is enabled in Azure DevOps

#### References

- [Azure DevOps - Use SSH key authentication](https://learn.microsoft.com/en-us/azure/devops/repos/git/use-ssh-keys-to-authenticate?view=azure-devops)
- [DevOps threat matrix](https://www.microsoft.com/en-us/security/blog/2023/04/06/devops-threat-matrix/)
- [Change application connection & security policies for your organization](https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/change-application-access-policies?view=azure-devops)

### Microsoft Sentinel

```kql
AzureDevOpsAuditing
| where OperationName == "OrganizationPolicy.PolicyValueUpdated"
| extend PolicyName = tostring(Data.PolicyName)
| extend PolicyValue = tostring(Data.PolicyValue)
| where PolicyName == "Policy.DisallowSecureShell"
| where PolicyValue == "ON"
| project TimeGenerated, ActorUPN, IpAddress, PolicyName, PolicyValue, ScopeDisplayName
```

Explanation

This query is designed to monitor changes in the SSH Authentication settings within Azure DevOps. Specifically, it looks for instances where the policy that disallows SSH (Secure Shell) connections is turned on. Here's a simple breakdown of what the query does:

  1. Data Source: It uses the AzureDevOpsAuditing table, which contains logs of various operations and changes within Azure DevOps.

  2. Filter for Specific Operation: The query filters the logs to find entries where the operation name is "OrganizationPolicy.PolicyValueUpdated". This indicates that a policy setting has been updated.

  3. Extract Policy Details: It extracts the policy name and value from the log data to focus on the specific policy of interest.

  4. Identify SSH Policy Changes: It further filters the results to find changes related to the "Policy.DisallowSecureShell" policy, specifically when this policy is set to "ON". This means SSH connections are being disallowed.

  5. Output Relevant Information: Finally, it projects (or selects) specific fields to display, including the time of the change (TimeGenerated), the user who made the change (ActorUPN), the IP address from which the change was made (IpAddress), the policy name and value, and the scope of the policy change (ScopeDisplayName).

In summary, this query helps identify when and by whom the SSH disallow policy is enabled in Azure DevOps, which is important for security monitoring and compliance.

Details

Alex Verboon profile picture

Alex Verboon

Released: November 18, 2024

Tables

AzureDevOpsAuditing

Keywords

AzureDevOpsOrganizationPolicySSHAuthentication

Operators

|where==extendtostringproject

Actions