AzureDevOpsAuditing with Sentinel
30 Nov 2020
Introduction
Azure DevOps streaming was recently introduced. This allows you to directly get the Azure Audit logs into a SIEM solution like Azure Sentinel, without writing custom Powershell/Rest code.
Setting up
The setup is easy, create a new stream, select Azure sentinel and connect with the Azure Log Analytics workspace id and key and the data is streamed to the Log Analytics environment.
Query data
All data ends up in the System table called AzureDevOpsAuditing
Example reports
For example to get all Group changes execute the following KQL query in your Sentinel environment:
AzureDevOpsAuditing
| where Area == "Group"
| project ActorUPN, OperationName, Details, IpAddress, TimeGenerated
Resources
More info on the AzureDevOpsAuditing table can be found here: AzureDevOpsAuditing
Conclusion
This is a nice solution to quickly get the insight into what is happening in your DevOps Environment. Additional queries need to be created to find suspicious behaviour occuring in your environment.
(this post will be updated with new tips and tricks, and when changes happen on Azure DevOps Auditing and Sentinel integration)