Azure Devops Auditing Packaging changes

excusemeQ · Sep 21, 2022 · 16c3337 · 16c3337
1 parent 8761e9a
commit 16c3337
Show file tree

Hide file tree

Showing 40 changed files with 4,627 additions and 0 deletions.
diff --git a/...sAuditing/ADOAgentPoolCreatedDeleted.yaml → ...tic Rules/ADOAgentPoolCreatedDeleted.yaml b/...sAuditing/ADOAgentPoolCreatedDeleted.yaml → ...tic Rules/ADOAgentPoolCreatedDeleted.yaml
diff --git a/...evOpsAuditing/ADOAuditStreamDisabled.yaml → ...nalytic Rules/ADOAuditStreamDisabled.yaml b/...evOpsAuditing/ADOAuditStreamDisabled.yaml → ...nalytic Rules/ADOAuditStreamDisabled.yaml
diff --git a/...eDevOpsAuditing/ADONewExtensionAdded.yaml → .../Analytic Rules/ADONewExtensionAdded.yaml b/...eDevOpsAuditing/ADONewExtensionAdded.yaml → .../Analytic Rules/ADONewExtensionAdded.yaml
diff --git a/...DevOpsAuditing/ADOPATUsedWithBrowser.yaml → ...Analytic Rules/ADOPATUsedWithBrowser.yaml b/...DevOpsAuditing/ADOPATUsedWithBrowser.yaml → ...Analytic Rules/ADOPATUsedWithBrowser.yaml
diff --git a/...uditing/ADOPipelineModifiedbyNewUser.yaml → ...c Rules/ADOPipelineModifiedbyNewUser.yaml b/...uditing/ADOPipelineModifiedbyNewUser.yaml → ...c Rules/ADOPipelineModifiedbyNewUser.yaml
diff --git a/...reDevOpsAuditing/ADORetentionReduced.yaml → ...g/Analytic Rules/ADORetentionReduced.yaml b/...reDevOpsAuditing/ADORetentionReduced.yaml → ...g/Analytic Rules/ADORetentionReduced.yaml
diff --git a/...reDevOpsAuditing/ADOSecretNotSecured.yaml → ...g/Analytic Rules/ADOSecretNotSecured.yaml b/...reDevOpsAuditing/ADOSecretNotSecured.yaml → ...g/Analytic Rules/ADOSecretNotSecured.yaml
diff --git a/...uditing/ADOVariableModifiedByNewUser.yaml → ...c Rules/ADOVariableModifiedByNewUser.yaml b/...uditing/ADOVariableModifiedByNewUser.yaml → ...c Rules/ADOVariableModifiedByNewUser.yaml
diff --git a/...vOpsAuditing/AzDOAdminGroupAdditions.yaml → ...alytic Rules/AzDOAdminGroupAdditions.yaml b/...vOpsAuditing/AzDOAdminGroupAdditions.yaml → ...alytic Rules/AzDOAdminGroupAdditions.yaml
diff --git a/...diting/AzDOHistoricPrPolicyBypassing.yaml → ... Rules/AzDOHistoricPrPolicyBypassing.yaml b/...diting/AzDOHistoricPrPolicyBypassing.yaml → ... Rules/AzDOHistoricPrPolicyBypassing.yaml
diff --git a/...ng/AzDOHistoricServiceConnectionAdds.yaml → ...es/AzDOHistoricServiceConnectionAdds.yaml b/...ng/AzDOHistoricServiceConnectionAdds.yaml → ...es/AzDOHistoricServiceConnectionAdds.yaml
diff --git a/...eDevOpsAuditing/AzDOPatSessionMisuse.yaml → .../Analytic Rules/AzDOPatSessionMisuse.yaml b/...eDevOpsAuditing/AzDOPatSessionMisuse.yaml → .../Analytic Rules/AzDOPatSessionMisuse.yaml
diff --git a/...ing/AzDOPipelineCreatedDeletedOneDay.yaml → ...les/AzDOPipelineCreatedDeletedOneDay.yaml b/...ing/AzDOPipelineCreatedDeletedOneDay.yaml → ...les/AzDOPipelineCreatedDeletedOneDay.yaml
diff --git a/...sAuditing/AzDOServiceConnectionUsage.yaml → ...tic Rules/AzDOServiceConnectionUsage.yaml b/...sAuditing/AzDOServiceConnectionUsage.yaml → ...tic Rules/AzDOServiceConnectionUsage.yaml
diff --git a/...UpstreamSourceAddedtoAzureDevOpsFeed.yaml → ...UpstreamSourceAddedtoAzureDevOpsFeed.yaml b/...UpstreamSourceAddedtoAzureDevOpsFeed.yaml → ...UpstreamSourceAddedtoAzureDevOpsFeed.yaml
diff --git a/...sAuditing/NRT_ADOAuditStreamDisabled.yaml → ...tic Rules/NRT_ADOAuditStreamDisabled.yaml b/...sAuditing/NRT_ADOAuditStreamDisabled.yaml → ...tic Rules/NRT_ADOAuditStreamDisabled.yaml
diff --git a/...ewAgentAddedToPoolbyNewUserorofNewOS.yaml → ...ewAgentAddedToPoolbyNewUserorofNewOS.yaml b/...ewAgentAddedToPoolbyNewUserorofNewOS.yaml → ...ewAgentAddedToPoolbyNewUserorofNewOS.yaml
diff --git a/...evOpsAuditing/NewPAPCAPCASaddedtoADO.yaml → ...nalytic Rules/NewPAPCAPCASaddedtoADO.yaml b/...evOpsAuditing/NewPAPCAPCASaddedtoADO.yaml → ...nalytic Rules/NewPAPCAPCASaddedtoADO.yaml
diff --git a/Solutions/AzureDevOpsAuditing/Data/Solution_AzureDevOpsAuditing.json b/Solutions/AzureDevOpsAuditing/Data/Solution_AzureDevOpsAuditing.json
@@ -0,0 +1,50 @@
+{
+  "Name": "AzureDevOpsAuditing",
+  "Author": "Microsoft - [email protected]",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
+  "Description": "The [Azure DevOps](https://azure.microsoft.com/products/devops/) Auditing solution for Microsoft Sentinel allows monitoring Azure DevOps [audit events](https://docs.microsoft.com/azure/devops/organizations/audit/azure-devops-auditing?view=azure-devops&tabs=preview-page#review-audit-log) to enable detection of malicious and/or unauthorized access and modification in the repository or pipelines.  The streaming of [Azure DevOps Audit logs to Azure Monitor](https://docs.microsoft.com/azure/devops/organizations/audit/auditing-streaming?view=azure-devops) must be configured to start ingesting audit events.",
+  "Analytic Rules": [
+    "Analytic Rules/ADOAgentPoolCreatedDeleted.yaml",
+	"Analytic Rules/ADOAuditStreamDisabled.yaml",
+	"Analytic Rules/ADONewExtensionAdded.yaml",
+	"Analytic Rules/ADOPATUsedWithBrowser.yaml",
+	"Analytic Rules/ADOPipelineModifiedbyNewUser.yaml",
+	"Analytic Rules/ADORetentionReduced.yaml",
+	"Analytic Rules/ADOSecretNotSecured.yaml",
+	"Analytic Rules/ADOVariableModifiedByNewUser.yaml",
+	"Analytic Rules/AzDOAdminGroupAdditions.yaml",
+	"Analytic Rules/AzDOHistoricPrPolicyBypassing.yaml",
+	"Analytic Rules/AzDOHistoricServiceConnectionAdds.yaml",
+	"Analytic Rules/AzDOPatSessionMisuse.yaml",
+	"Analytic Rules/AzDOPipelineCreatedDeletedOneDay.yaml",
+	"Analytic Rules/AzDOServiceConnectionUsage.yaml",
+	"Analytic Rules/ExternalUpstreamSourceAddedtoAzureDevOpsFeed.yaml",
+	"Analytic Rules/NewAgentAddedToPoolbyNewUserorofNewOS.yaml",
+	"Analytic Rules/NewPAPCAPCASaddedtoADO.yaml",
+	"Analytic Rules/NRT_ADOAuditStreamDisabled.yaml"
+  ],
+  "Hunting Queries": [
+	"Hunting Queries/AAD Conditional Access Disabled.yaml",
+	"Hunting Queries/Addtional Org Admin Added.yaml",
+	"Hunting Queries/ADOBuildCheckDeleted.yaml",
+	"Hunting Queries/ADOBuildDeletedAfterPipelineMod.yaml",
+	"Hunting Queries/ADOInternalUpstreamPacakgeFeedAdded.yaml",
+	"Hunting Queries/ADONewAgentPoolCreated.yaml",
+	"Hunting Queries/ADONewPackageFeedCreated.yaml",
+	"Hunting Queries/ADONewPATOperation.yaml",
+	"Hunting Queries/ADONewReleaseApprover.yaml",
+	"Hunting Queries/ADOReleasePipelineCreated.yaml",
+	"Hunting Queries/ADOVariableCreatedDeleted.yaml",
+	"Hunting Queries/AzDODisplayNameSwapping.yaml",
+	"Hunting Queries/AzDOPrPolicyBypassers.yaml",
+	"Hunting Queries/Guest users access enabled.yaml",
+	"Hunting Queries/Project visibility changed to public.yaml",
+	"Hunting Queries/Public project created.yaml",
+	"Hunting Queries/Public Projects enabled.yaml"
+  ],
+  "Metadata": "SolutionMetadata.json",
+  "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\AzureDevOpsAuditing",
+  "Version": "2.0.0",
+  "TemplateSpec": true,
+  "Is1PConnector": true
+}
diff --git a/...ting/AAD Conditional Access Disabled.yaml → ...ries/AAD Conditional Access Disabled.yaml b/...ting/AAD Conditional Access Disabled.yaml → ...ries/AAD Conditional Access Disabled.yaml
diff --git a/...eDevOpsAuditing/ADOBuildCheckDeleted.yaml → ...Hunting Queries/ADOBuildCheckDeleted.yaml b/...eDevOpsAuditing/ADOBuildCheckDeleted.yaml → ...Hunting Queries/ADOBuildCheckDeleted.yaml
diff --git a/...ting/ADOBuildDeletedAfterPipelineMod.yaml → ...ries/ADOBuildDeletedAfterPipelineMod.yaml b/...ting/ADOBuildDeletedAfterPipelineMod.yaml → ...ries/ADOBuildDeletedAfterPipelineMod.yaml
diff --git a/.../ADOInternalUpstreamPacakgeFeedAdded.yaml → .../ADOInternalUpstreamPacakgeFeedAdded.yaml b/.../ADOInternalUpstreamPacakgeFeedAdded.yaml → .../ADOInternalUpstreamPacakgeFeedAdded.yaml
diff --git a/...evOpsAuditing/ADONewAgentPoolCreated.yaml → ...nting Queries/ADONewAgentPoolCreated.yaml b/...evOpsAuditing/ADONewAgentPoolCreated.yaml → ...nting Queries/ADONewAgentPoolCreated.yaml
diff --git a/...ureDevOpsAuditing/ADONewPATOperation.yaml → ...g/Hunting Queries/ADONewPATOperation.yaml b/...ureDevOpsAuditing/ADONewPATOperation.yaml → ...g/Hunting Queries/ADONewPATOperation.yaml
diff --git a/...OpsAuditing/ADONewPackageFeedCreated.yaml → ...ing Queries/ADONewPackageFeedCreated.yaml b/...OpsAuditing/ADONewPackageFeedCreated.yaml → ...ing Queries/ADONewPackageFeedCreated.yaml
diff --git a/...DevOpsAuditing/ADONewReleaseApprover.yaml → ...unting Queries/ADONewReleaseApprover.yaml b/...DevOpsAuditing/ADONewReleaseApprover.yaml → ...unting Queries/ADONewReleaseApprover.yaml
diff --git a/...psAuditing/ADOReleasePipelineCreated.yaml → ...ng Queries/ADOReleasePipelineCreated.yaml b/...psAuditing/ADOReleasePipelineCreated.yaml → ...ng Queries/ADOReleasePipelineCreated.yaml
diff --git a/...psAuditing/ADOVariableCreatedDeleted.yaml → ...ng Queries/ADOVariableCreatedDeleted.yaml b/...psAuditing/ADOVariableCreatedDeleted.yaml → ...ng Queries/ADOVariableCreatedDeleted.yaml
diff --git a/...psAuditing/Addtional Org Admin Added.yaml → ...ng Queries/Addtional Org Admin Added.yaml b/...psAuditing/Addtional Org Admin Added.yaml → ...ng Queries/Addtional Org Admin Added.yaml
diff --git a/...vOpsAuditing/AzDODisplayNameSwapping.yaml → ...ting Queries/AzDODisplayNameSwapping.yaml b/...vOpsAuditing/AzDODisplayNameSwapping.yaml → ...ting Queries/AzDODisplayNameSwapping.yaml
diff --git a/...DevOpsAuditing/AzDOPrPolicyBypassers.yaml → ...unting Queries/AzDOPrPolicyBypassers.yaml b/...DevOpsAuditing/AzDOPrPolicyBypassers.yaml → ...unting Queries/AzDOPrPolicyBypassers.yaml
diff --git a/...sAuditing/Guest users access enabled.yaml → ...g Queries/Guest users access enabled.yaml b/...sAuditing/Guest users access enabled.yaml → ...g Queries/Guest users access enabled.yaml
diff --git a/...Project visibility changed to public.yaml → ...Project visibility changed to public.yaml b/...Project visibility changed to public.yaml → ...Project visibility changed to public.yaml
diff --git a/...vOpsAuditing/Public Projects enabled.yaml → ...ting Queries/Public Projects enabled.yaml b/...vOpsAuditing/Public Projects enabled.yaml → ...ting Queries/Public Projects enabled.yaml
diff --git a/...evOpsAuditing/Public project created.yaml → ...nting Queries/Public project created.yaml b/...evOpsAuditing/Public project created.yaml → ...nting Queries/Public project created.yaml
diff --git a/Solutions/AzureDevOpsAuditing/Package/2.0.0.zip b/Solutions/AzureDevOpsAuditing/Package/2.0.0.zip
diff --git a/Solutions/AzureDevOpsAuditing/Package/createUiDefinition.json b/Solutions/AzureDevOpsAuditing/Package/createUiDefinition.json
diff --git a/Solutions/AzureDevOpsAuditing/Package/mainTemplate.json b/Solutions/AzureDevOpsAuditing/Package/mainTemplate.json
diff --git a/Solutions/AzureDevOpsAuditing/SolutionMetadata.json b/Solutions/AzureDevOpsAuditing/SolutionMetadata.json
@@ -0,0 +1,16 @@
+{
+	"publisherId": "azuresentinel",
+	"offerId": "azure-sentinel-solution-azuredevopsauditing",
+	"firstPublishDate": "2022-09-20",
+	"providers": ["Microsoft"],
+	"categories": {
+		"domains" : ["DevOps"],
+		"verticals": []
+	},
+	"support": {
+        "tier": "Microsoft",
+        "email": "[email protected]",
+        "name": "Microsoft Corporation",
+        "link": "https://support.microsoft.com/"
+    }
+}