Azure Dev Ops Critical Search Queries
Query
// Detect suspicious code search queries (possible secret hunting)
ADOAuditLogs_CL
| where TimeGenerated > ago(7d)
| where ActionId == "Search.Code"
| extend d=parse_json(Data)
| extend SearchQuery=tostring(d.SearchQuery)
| where SearchQuery matches regex @"(?i)(password|passwd|secret|token|apikey|api_key|connectionstring|connstring|credential|private key|BEGIN RSA PRIVATE KEY)"About this query
Azure DevOps Critical Search Queries
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1552.004 | Private keys | https://attack.mitre.org/techniques/T1552/004/ |
Description
This Query detects suspicious code search queries within Azure DevOps audit logs that may indicate an adversary is attempting to find sensitive information such as passwords, API keys, tokens, or private keys. It specifically looks for keywords like 'password', 'secret', 'token', 'apikey', 'api_key', 'connectionstring', 'connstring', 'credential', 'private key', and 'BEGIN RSA PRIVATE KEY' in code search queries.
Author <Optional>
- Name: Benjamin Zulliger
- Github: https://github.com/benscha/KQLAdvancedHunting
- LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/
References
Defender XDR
Explanation
This query is designed to identify potentially suspicious search activities within Azure DevOps audit logs. It focuses on detecting attempts to find sensitive information, such as passwords, API keys, or private keys, by analyzing code search queries. The query looks for specific keywords that are commonly associated with sensitive data, such as 'password', 'secret', 'token', 'apikey', and 'private key'. It examines logs from the past seven days where the action was a code search, and it uses a regular expression to match these keywords in the search queries. This helps in identifying possible secret hunting activities by adversaries.
