cloudflare/Azure-Sentinel

id: 89e6adbd-612c-4fbe-bc3d-32f81baf3b6c
name: Azure DevOps Administrator Group Monitoring
description: |
  'This detection monitors for additions to project or project collection administration groups in an Azure DevOps Organization.'
severity: Medium
queryFrequency: 4h
queryPeriod: 4h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Persistence
relevantTechniques:
  - T1098
query: |

  let timeframe = 4h;
  // Change to true to monitor for Project Administrator adds to *any* project
  let MonitorAllProjects = false;
  // If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects
  let ProjectsToMonitor = dynamic(['<project_X>','<project_Y>']);
  AzureDevOpsAuditing
  | where TimeGenerated >= ago(timeframe)
  | where Area == "Group" and OperationName == "Group.UpdateGroupMembership.Add"
  | where Details has 'Administrators'
  | where Details has "was added as a member of group" and (Details endswith '\\Project Administrators' or Details endswith '\\Project Collection Administrators')
  | parse Details with AddedIdentity ' was added as a member of group [' EntityName ']\\' GroupName
  | extend Level = iif(GroupName == 'Project Collection Administrators', 'Organization', 'Project'), AddedIdentityId = Data.MemberId
  | extend Severity = iif(Level == 'Organization', 'High', 'Medium'), AlertDetails = strcat('At ', TimeGenerated, ' UTC ', ActorUPN, '/', ActorDisplayName, ' added ', AddedIdentity, ' to the ', EntityName, ' ', Level)
  | where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == 'Organization'
  | project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism, 
    ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details
  | extend timestamp = TimeGenerated, AccountCustomEntity = Adder, IPCustomEntity = ActorIpAddress