DevOps Security Monitoring
DevOps Security Monitoring
So far, you have monitored your Azure infrastructure — App Services, Key Vault, Storage, and Azure Activity. But an attacker does not only attack your deployed resources. They may target your build pipeline instead.
This section covers how to monitor the Azure DevOps audit log in Sentinel as part of a complete supply chain security strategy.
Why Monitor the Pipeline?
Supply chain attacks have become one of the most significant threat vectors in cloud security. The 2020 SolarWinds attack demonstrated that compromising build pipelines can give attackers access to thousands of downstream customers. When an attacker gains access to your Azure DevOps organisation, they can:
- Create Personal Access Tokens (PATs) to maintain persistent access
- Modify service connections to point to attacker-controlled infrastructure
- Inject malicious code into build pipelines
- Change permissions and grant themselves elevated roles
By monitoring the pipeline in Sentinel alongside your deployed infrastructure, you get:
- Long-term retention beyond Azure DevOps' 90-day default
- Correlation with infrastructure events — did someone create a PAT, then access Azure?
- Automated alerts via Sentinel analytics rules
- Cross-table KQL hunting across all your data sources
How Azure DevOps Audit Logging Works
Azure DevOps maintains an audit log of all administrative actions:
- Who created pipelines
- Who changed service connections
- Who modified permissions
- Who created tokens
By default, this log is only viewable in the Azure DevOps portal and is retained for 90 days. To send it to Log Analytics, you have two options.
Option A: Built-in Sentinel Connector (Recommended for Labs)
The built-in connector is enabled directly in Sentinel and requires no configuration on the Azure DevOps side.
- In the Azure portal, navigate to your Log Analytics workspace
- Go to Microsoft Sentinel > Data connectors
- Search for Azure DevOps Audit Logs
- Click the connector and select your Azure DevOps organisation name from the dropdown
- Click Apply
The connector automatically ingests audit events into the AzureDevOpsAuditing table. No API keys or streams need to be configured — it uses managed identity under the hood.
Option B: Azure DevOps Audit Streaming (Advanced)
For long-term production deployments, you can also stream audit events from Azure DevOps using the audit stream API. This gives you more control but requires Project Collection Administrator access.
- Open your Azure DevOps organisation in a browser:
https://dev.azure.com/{Your_Organization} - Click the gear icon (Organisation settings)
- Select Auditing (you must be a Project Collection Administrator)
- Go to the Streams tab and click New stream
- Select Azure Monitor Logs as the target type
- Enter your Log Analytics workspace ID and primary key
- Click Set up
Note: The stream sends data to Log Analytics within 30 minutes. You will not see immediate results. This delay is normal — audit events are bundled and transmitted in batches.
The AzureDevOpsAuditing Table
The AzureDevOpsAuditing table has a different schema from AzureDiagnostics. Key columns include:
| Column | Description |
|---|---|
ActorDisplayName | Who performed the action |
ActorUPN | User principal name of the actor |
OperationName | What they did (e.g., Token.PatCreateEvent) |
CategoryDisplayName | Category of the operation |
Details | What changed (JSON) |
IpAddress | Where the action came from |
ProjectName | Which project the action affected |
TimeGenerated | When the action occurred |
To discover what events have arrived:
AzureDevOpsAuditing
| where TimeGenerated > ago(1h)
| take 20
| project TimeGenerated, ActorDisplayName, OperationName, CategoryDisplayName, Details, ProjectNamePAT Detection as a Supply Chain Attack Indicator
Personal Access Tokens (PATs) are credentials that allow programmatic access to Azure DevOps. They are commonly used by attackers because:
- They persist after the user's password is changed
- They can be created without leaving traces in the user's password history
- They can be scoped with broad permissions
The key operation name to detect is Token.PatCreateEvent. A typical detection query:
AzureDevOpsAuditing
| where OperationName == "Token.PatCreateEvent"
| project TimeGenerated, ActorDisplayName, ActorUPN, Details, IpAddress, ProjectName
| where TimeGenerated > ago(5m)Correlating DevOps Events with Azure Activity
The most powerful security investigations connect events across systems. A complete attack chain might look like:
- Step A: Attacker creates a PAT in Azure DevOps (CredentialAccess)
- Step B: Attacker uses the PAT to modify a service connection (Library)
- Step C: Attacker uses the modified service connection to access Azure resources (Azure Activity)
Query both the DevOps audit log and Azure Activity to find correlated events:
let devOpsActor =
AzureDevOpsAuditing
| where OperationName == "Token.PatCreateEvent"
| where TimeGenerated > ago(1h)
| project ActorUPN, PatTime = TimeGenerated, ActorIp = IpAddress
| take 1;
let azureChanges =
AzureActivity
| where TimeGenerated > ago(1h)
| where caller has_any (devOpsActor.ActorUPN)
| project TimeGenerated, OperationName, Caller, resourceGroup;
union devOpsActor, azureChanges
| order by TimeGenerated ascThis query finds who created a PAT in DevOps, then searches Azure Activity for any operations from the same identity in the same time window. This is the cross-table correlation pattern you have been learning throughout Day 4.
DevOps Security Checklist
Use this checklist to review your DevOps security posture:
| Check | What to Look For | Risk Level |
|---|---|---|
| PATs are created | Unexpected PATs = unauthorised access | High |
| Service connections are modified | New connections to unknown cloud subscriptions | High |
| Variable groups are created | Secrets or connection strings added by unauthorised users | High |
| DevOps audit monitoring is active | If the connector or stream is disabled, an attacker has removed their tracks | Critical |
| Pipeline configurations change | Malicious code injection into the build process | Critical |
| Permission changes occur | Unexpected role assignments or group membership changes | Medium |
Lab Connection
In Lab 4.6, you will:
- Set up Azure DevOps audit monitoring to Sentinel (via the built-in connector or audit streaming)
- Query the
AzureDevOpsAuditingtable to explore recent events - Create a PAT detection analytics rule
- Correlate DevOps events with Azure Activity logs
This bridges Day 3's shift-left security with Day 4's runtime monitoring — the pipeline itself is now a monitored asset.