Merge pull request #9500 from Azure/v-prasadboke-azuredevops

UI corrected for AzureDevAuditing
Azure · Nov 28, 2023 · 0a03c02 · 0a03c02
2 parents dc8dc5e + cc4934f
commit 0a03c02
Show file tree

Hide file tree

Showing 9 changed files with 677 additions and 676 deletions.
diff --git a/Solutions/AzureDevOpsAuditing/Analytic Rules/ADOPATUsedWithBrowser.yaml b/Solutions/AzureDevOpsAuditing/Analytic Rules/ADOPATUsedWithBrowser.yaml
@@ -1,5 +1,5 @@
 id: 5f0d80db-3415-4265-9d52-8466b7372e3a
-name: Azure DevOps PAT used with Browser.
+name: Azure DevOps PAT used with Browser
 description: |
   'Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. 
   This can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. 
@@ -30,5 +30,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IpAddress
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
diff --git a/Solutions/AzureDevOpsAuditing/Analytic Rules/ADOPipelineModifiedbyNewUser.yaml b/Solutions/AzureDevOpsAuditing/Analytic Rules/ADOPipelineModifiedbyNewUser.yaml
@@ -1,5 +1,5 @@
 id: 155e9134-d5ad-4a6f-88f3-99c220040b66
-name: Azure DevOps Pipeline modified by a new user.
+name: Azure DevOps Pipeline modified by a new user
 description: |
   'There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. 
   This detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Microsoft Entra ID Protection 
@@ -60,5 +60,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IpAddress
-version: 1.0.4
+version: 1.0.5
 kind: Scheduled
diff --git a/Solutions/AzureDevOpsAuditing/Analytic Rules/ADOVariableModifiedByNewUser.yaml b/Solutions/AzureDevOpsAuditing/Analytic Rules/ADOVariableModifiedByNewUser.yaml
@@ -1,5 +1,5 @@
 id: 3b9a44d7-c651-45ed-816c-eae583a6f2f1
-name: Azure DevOps Build Variable Modified by New User.
+name: Azure DevOps Build Variable Modified by New User
 description: |
   'Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify 
   or add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users, 
@@ -49,5 +49,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IpAddress
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
diff --git a/Solutions/AzureDevOpsAuditing/Analytic Rules/NewAgentAddedToPoolbyNewUserorofNewOS.yaml b/Solutions/AzureDevOpsAuditing/Analytic Rules/NewAgentAddedToPoolbyNewUserorofNewOS.yaml
@@ -1,5 +1,5 @@
 id: 4ce177b3-56b1-4f0e-b83e-27eed4cb0b16
-name: New Agent Added to Pool by New User or Added to a New OS Type.
+name: New Agent Added to Pool by New User or Added to a New OS Type
 description: |
   'As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. 
   An attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have 
@@ -68,5 +68,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IpAddress
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
diff --git a/Solutions/AzureDevOpsAuditing/Hunting Queries/ADOBuildCheckDeleted.yaml b/Solutions/AzureDevOpsAuditing/Hunting Queries/ADOBuildCheckDeleted.yaml
@@ -1,5 +1,5 @@
 id: 940386c3-4b2c-4147-ac8e-dcddedaaae52
-name: Azure DevOps - Build Check Deleted.
+name: Azure DevOps - Build Check Deleted
 description: |
   'Build checks can be built into a pipeline in order control the release process, these can include things such as the successful passing of certain steps, or an explicit user approval. An attacker who has altered a build process may look to remove a check in order to ensure a compromised build is released. This hunting query simply looks for all check removal events,  these should be relatively uncommon. In the output Type shows the type of Check that was deleted. '
 requiredDataConnectors: []

diff --git a/Solutions/AzureDevOpsAuditing/Hunting Queries/ADOInternalUpstreamPacakgeFeedAdded.yaml b/Solutions/AzureDevOpsAuditing/Hunting Queries/ADOInternalUpstreamPacakgeFeedAdded.yaml
@@ -1,5 +1,5 @@
 id: 20be967c-4923-4c4b-8e1d-e1c95d537dc3
-name: Azure DevOps - Internal Upstream Package Feed Added.
+name: Azure DevOps - Internal Upstream Package Feed Added
 description: |
   'An attacker aiming to insert malicious code into a build process could look to introduce compromised upstream packages into the build process. Looking at internal packages can have a significant false positive rate compared to looking at external feeds so running this as a hunting query at least initially is advised. If an environment has low number of events it can be upgraded to a detection.'
 requiredDataConnectors: []

diff --git a/Solutions/AzureDevOpsAuditing/Package/3.0.1.zip b/Solutions/AzureDevOpsAuditing/Package/3.0.1.zip
diff --git a/Solutions/AzureDevOpsAuditing/Package/createUiDefinition.json b/Solutions/AzureDevOpsAuditing/Package/createUiDefinition.json
@@ -122,7 +122,7 @@
           {
             "name": "analytic4",
             "type": "Microsoft.Common.Section",
-            "label": "Azure DevOps PAT used with Browser.",
+            "label": "Azure DevOps PAT used with Browser",
             "elements": [
               {
                 "name": "analytic4-text",
@@ -136,7 +136,7 @@
           {
             "name": "analytic5",
             "type": "Microsoft.Common.Section",
-            "label": "Azure DevOps Pipeline modified by a new user.",
+            "label": "Azure DevOps Pipeline modified by a new user",
             "elements": [
               {
                 "name": "analytic5-text",
@@ -178,7 +178,7 @@
           {
             "name": "analytic8",
             "type": "Microsoft.Common.Section",
-            "label": "Azure DevOps Build Variable Modified by New User.",
+            "label": "Azure DevOps Build Variable Modified by New User",
             "elements": [
               {
                 "name": "analytic8-text",
@@ -290,7 +290,7 @@
           {
             "name": "analytic16",
             "type": "Microsoft.Common.Section",
-            "label": "New Agent Added to Pool by New User or Added to a New OS Type.",
+            "label": "New Agent Added to Pool by New User or Added to a New OS Type",
             "elements": [
               {
                 "name": "analytic16-text",
@@ -384,7 +384,7 @@
           {
             "name": "huntingquery3",
             "type": "Microsoft.Common.Section",
-            "label": "Azure DevOps - Build Check Deleted.",
+            "label": "Azure DevOps - Build Check Deleted",
             "elements": [
               {
                 "name": "huntingquery3-text",
@@ -412,7 +412,7 @@
           {
             "name": "huntingquery5",
             "type": "Microsoft.Common.Section",
-            "label": "Azure DevOps - Internal Upstream Package Feed Added.",
+            "label": "Azure DevOps - Internal Upstream Package Feed Added",
             "elements": [
               {
                 "name": "huntingquery5-text",