Query Details

Azure DevOps - Organization Policy - Log Audit Events

Azure Dev Ops Log Audit Events

Query

AzureDevOpsAuditing
| where OperationName == "OrganizationPolicy.PolicyValueUpdated"
| extend PolicyName = tostring(Data.PolicyName)
| extend PolicyValue = tostring(Data.PolicyValue)
| where PolicyValue == "OFF"
| where PolicyName == "Policy.LogAuditEvents"
| project TimeGenerated, ActorUPN, IpAddress, PolicyName, PolicyValue, ScopeDisplayName

About this query

Azure DevOps - Organization Policy - Log Audit Events

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1562.008Defense Evasion: Impair Defenses: Disable or Modify Cloud Logshttps://attack.mitre.org/techniques/T1562/008/

Description

Keeping track of activities within your Azure DevOps environment is crucial for security and compliance. Auditing helps you monitor and log these activities, providing transparency and accountability

Use the below query to identify when Log Audit Events is disabled in Azure DevOps

References

Microsoft Sentinel

Explanation

This KQL query is designed to monitor Azure DevOps for any instances where the logging of audit events has been disabled. Here's a simple breakdown of what the query does:

  1. Data Source: It pulls data from the AzureDevOpsAuditing table, which contains logs of various operations within Azure DevOps.

  2. Filter Operation: It specifically looks for operations where an organization policy value has been updated (OperationName == "OrganizationPolicy.PolicyValueUpdated").

  3. Extract Policy Details: The query extracts the PolicyName and PolicyValue from the data, converting them to string format for easier handling.

  4. Check for Disabled Logs: It filters the results to find cases where the PolicyValue is set to "OFF" and the PolicyName is "Policy.LogAuditEvents". This indicates that the logging of audit events has been turned off.

  5. Select Relevant Information: Finally, it projects (selects) specific columns to display: the time the change was made (TimeGenerated), the user who made the change (ActorUPN), their IP address (IpAddress), the policy name and value, and the scope of the change (ScopeDisplayName).

In summary, this query helps identify when and by whom the logging of audit events in Azure DevOps has been disabled, which is important for maintaining security and compliance.

Details

Alex Verboon profile picture

Alex Verboon

Released: April 16, 2026

Tables

AzureDevOpsAuditing

Keywords

AzureDevOpsOrganizationPolicyLogAuditEventsActorUPNIpAddressPolicyNamePolicyValueScopeDisplayName

Operators

|where==extendtostringproject

MITRE Techniques

Actions

GitHub