30 Nov 2020
Azure DevOps streaming was recently introduced. This allows you to directly get the Azure Audit logs into a SIEM solution like Azure Sentinel, without writing custom Powershell/Rest code.
The setup is easy, create a new stream, select Azure sentinel and connect with the Azure Log Analytics workspace id and key and the data is streamed to the Log Analytics environment.
All data ends up in the System table called
For example to get all Group changes execute the following KQL query in your Sentinel environment:
AzureDevOpsAuditing | where Area == "Group" | project ActorUPN, OperationName, Details, IpAddress, TimeGenerated
More info on the AzureDevOpsAuditing table can be found here: AzureDevOpsAuditing
This is a nice solution to quickly get the insight into what is happening in your DevOps Environment. Additional queries need to be created to find suspicious behaviour occuring in your environment.
(this post will be updated with new tips and tricks, and when changes happen on Azure DevOps Auditing and Sentinel integration)