Query Details

Azure Dev Ops Critical Permission Modification

Query

ADOAuditLogs_CL
| where TimeGenerated > ago(1d)
| where ActionId == "Security.ModifyPermission"
| extend d=parse_json(Data)
| extend NamespaceName=tostring(d.NamespaceName), EventSummary=d.EventSummary
| mv-expand EventSummary
| extend permissionNames=tostring(EventSummary.permissionNames), change=tostring(EventSummary.change), subjectDisplayName=tostring(EventSummary.subjectDisplayName)
| where change =~ "allow"
| where permissionNames in~ ("Edit build pipeline","Manage permissions","Queue builds","Administer build","Bypass policies when completing") or NamespaceName in~ ("Git Repositories","ReleaseManagement","PipelinesPrivileges","Project-level Permissions")

About this query

Azure DevOps Critical Permission Modification

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1098.003Additional Cloud Roleshttps://attack.mitre.org/techniques/T1098/003/
T1078.004Cloud Accontshttps://attack.mitre.org/techniques/T1078/004/

Description

Detects critical permission changes in Azure DevOps, specifically focusing on 'allow' changes to sensitive permissions like 'Edit build pipeline', 'Manage permissions', 'Queue builds', 'Administer build', and 'Bypass policies when completing' within key namespaces such as 'Git Repositories', 'ReleaseManagement', 'PipelinesPrivileges', and 'Project-level Permissions'. This rule aims to identify potential privilege escalation or unauthorized access attempts within Azure DevOps environments.

Author <Optional>

References

Defender XDR

Explanation

This query is designed to monitor Azure DevOps for any critical changes to permissions that could indicate potential security risks, such as privilege escalation or unauthorized access. It specifically looks for changes where permissions are set to "allow" for sensitive actions like editing build pipelines, managing permissions, queuing builds, administering builds, and bypassing policies. The query focuses on key areas within Azure DevOps, such as Git Repositories, Release Management, Pipelines Privileges, and Project-level Permissions. It analyzes audit logs from the past day to detect these changes and helps identify any suspicious activities that could compromise the security of the DevOps environment.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: February 26, 2026

Tables

ADOAuditLogs_CL

Keywords

AzureDevOpsPermissionsPipelinesGitRepositoriesReleaseManagementProject-level

Operators

ADOAuditLogs_CL|where>ago()==extendparse_json()tostring()mv-expand=~in~

Actions

GitHub