Query Details

Azure DevOps Agent Service Connection Modification

Modify Az Dev Ops Service Connection RBAC

Query

AzureDevOpsAuditing
| where OperationName == "Security.ModifyPermission" and Data contains "Use Service Connection"
| project timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress, OperationName

Explanation

This query is designed to detect potentially malicious activity in Azure DevOps related to the modification of service connections. Here's a simple breakdown:

  • Purpose: The query aims to identify when someone modifies permissions to use a service connection in Azure DevOps, which could indicate an unauthorized or suspicious change.
  • Context: Attackers might create or modify agent pools to execute malicious activities within a pipeline. This detection focuses on self-hosted agent pools, which offer more customization and could be exploited by attackers.
  • Detection Criteria: The query looks for modifications in permissions related to service connections. It specifically checks for operations named "Security.ModifyPermission" and filters for those involving "Use Service Connection."
  • Timeframe: The query checks for these activities over a 14-day period and runs every 7 days.
  • Severity: The severity level is set to Medium, indicating a moderate level of concern.
  • Tactics and Techniques: It relates to tactics like Persistence and Impact, and techniques such as T1098 (Account Manipulation) and T1496 (Resource Hijacking).
  • Entity Mapping: It maps the detected activities to specific user accounts and IP addresses for further investigation.
  • Trigger: The query triggers an alert if any such activity is detected, as the threshold is set to greater than 0. In summary, this query helps in identifying unauthorized modifications to service connections in Azure DevOps, which could be a sign of malicious intent.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: February 9, 2024

Tables

AzureDevOpsAuditing

Keywords

AzureDevOpsAgentServiceConnectionModificationSecurityPermissionAccountIPAddressOperationNameActorUPNTimeGenerated

Operators

wherecontainsproject

Severity

Medium

Tactics

PersistenceImpact

MITRE Techniques

Frequency: 7d

Period: 14d

Actions

GitHub