Query Details

Azure DevOps - Organization Policy - Additional Protection when using public package registries

Azure Dev Ops Additional Protection When Using Public Package Registries

Query

AzureDevOpsAuditing
| where OperationName == "OrganizationPolicy.PolicyValueUpdated"
| extend PolicyName = tostring(Data.PolicyName)
| extend PolicyValue = tostring(Data.PolicyValue)
| where PolicyValue == "OFF"
| where PolicyName == "Policy.ArtifactsExternalPackageProtectionToken"
| project TimeGenerated, ActorUPN, IpAddress, PolicyName, PolicyValue, ScopeDisplayName

About this query

Azure DevOps - Organization Policy - Additional Protection when using public package registries

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink

Description

Use the below query to identify when Additional Protection when using public package registries is disabled in Azure DevOps

References

Microsoft Sentinel

Explanation

This KQL query is designed to monitor Azure DevOps for changes in organization policies specifically related to the security of using public package registries. It identifies instances where the "Additional Protection" policy for external package protection tokens is turned off. Here's a simple breakdown of what the query does:

  1. Data Source: It looks at the AzureDevOpsAuditing logs, which track changes and operations within Azure DevOps.

  2. Filter by Operation: The query filters for operations where the policy value has been updated, specifically the operation named "OrganizationPolicy.PolicyValueUpdated".

  3. Extract Policy Details: It extracts the policy name and value from the data, converting them to string format for easier handling.

  4. Check Policy Status: It further filters the results to find cases where the policy named "Policy.ArtifactsExternalPackageProtectionToken" is set to "OFF". This indicates that the additional protection for using public package registries has been disabled.

  5. Select Relevant Information: Finally, it projects (selects) specific columns to display: the time the change was made (TimeGenerated), the user who made the change (ActorUPN), their IP address (IpAddress), the policy name and value, and the scope of the policy change (ScopeDisplayName).

This query helps administrators quickly identify and respond to potential security risks associated with disabling additional protection when using public package registries in Azure DevOps.

Details

Alex Verboon profile picture

Alex Verboon

Released: April 16, 2026

Tables

AzureDevOpsAuditing

Keywords

AzureDevOpsOrganizationPolicyPackageRegistriesArtifactsAuditing

Operators

|where==extendtostringproject

Actions

GitHub