Azure DevOps Agent Service Connection Modification
Modify Az Dev Ops Service Connection RBAC
Query
AzureDevOpsAuditing
| where OperationName == "Security.ModifyPermission" and Data contains "Use Service Connection"
| project timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress, OperationNameExplanation
This query is designed to detect potentially malicious activity in Azure DevOps related to the modification of service connections. Here's a simple breakdown:
- Purpose: The query aims to identify when someone modifies permissions to use a service connection in Azure DevOps, which could indicate an unauthorized or suspicious change.
- Context: Attackers might create or modify agent pools to execute malicious activities within a pipeline. This detection focuses on self-hosted agent pools, which offer more customization and could be exploited by attackers.
- Detection Criteria: The query looks for modifications in permissions related to service connections. It specifically checks for operations named "Security.ModifyPermission" and filters for those involving "Use Service Connection."
- Timeframe: The query checks for these activities over a 14-day period and runs every 7 days.
- Severity: The severity level is set to Medium, indicating a moderate level of concern.
- Tactics and Techniques: It relates to tactics like Persistence and Impact, and techniques such as T1098 (Account Manipulation) and T1496 (Resource Hijacking).
- Entity Mapping: It maps the detected activities to specific user accounts and IP addresses for further investigation.
- Trigger: The query triggers an alert if any such activity is detected, as the threshold is set to greater than 0. In summary, this query helps in identifying unauthorized modifications to service connections in Azure DevOps, which could be a sign of malicious intent.
Details

Thomas Naunheim
Released: February 9, 2024
Tables
AzureDevOpsAuditing
Keywords
AzureDevOpsAgentServiceConnectionModificationSecurityPermissionAccountIPAddressOperationNameActorUPNTimeGenerated
Operators
wherecontainsproject
Severity
MediumTactics
PersistenceImpact
Frequency: 7d
Period: 14d