Azure DevOps Auditing: Monitoring Who Did What

September 22, 2020 Troy Micka

Managing the security and audit records for who is accessing and modifying resources inside Azure DevOps has historically presented a challenge. In the era of modern development, developers are working on multiple devices, with devices roaming from both the corporate office and the home office. Based on this new paradigm, organizations in regulated fields are often pressed with securing developer workstations and ensuring access is properly secured to sensitive code that will be published to production workloads. In a worst-case scenario, security teams are often left trying to piece together, based on circumstantial audit logs, which developer accessed a code repository, at what time, and using a given device after an issue is suspected.

Recently, Microsoft has updated Azure DevOps to support integrated auditing capabilities with the ability to integrate into SEIM solutions provided by both Splunk and Microsoft. These new capabilities offer the first chance for security teams to gain insight into usage and auditing within Azure DevOps and enable the ability to leverage SEIM solutions to trigger alerts based on user activity in Azure DevOps.

Auditing Options in Azure DevOps

Based on the new capabilities recently introduced in Azure DevOps, security teams can leverage the auditing features available to provide alerting capabilities based on their SEIM solution. Generally, when setting up an SEIM solution, it is best to leverage as much of a platform as possible based on the available integrated solutions. As previously stated, Microsoft recently introduced support for both Splunk and Azure log analytics as receiving targets for auditing streams being sent by Azure DevOps. Given that Azure log analytics is a built-in solution on the Azure platform for auditing and log collection, we will be primarily focusing on this solution as it provides an integrated holistic solution for centralizing log and auditing data management.

Setting Up Auditing With Azure Log Analytics

If you want to set up Azure DevOps to audit into log analytics, you will need to at least be a project collection administrator or be granted permissions to enable and configure auditing streams in Azure DevOps. Additionally, you will need to know your target log analytics workspace ID and shared key. To get started with creating an auditing stream, go to the organizational settings, then the auditing blade, and then select “Streams”. Once on the streams page, select “New Stream”, then “Azure Monitor Logs”, and then input your Azure monitor logs workspace ID and your Azure monitor logs shared key. Once you have done this, you have successfully enabled your Azure DevOps auditing logs to flow as a stream to your Azure log analytics workspace.

DevOps and Sentinel – A Match Made in Azure

Once your audit events are flowing to Azure Log Analytics, your IT security team should now be able to access your centralized audit data for Azure DevOps. The beauty of leveraging Azure log analytics for your audit logging is that you can now take advantage of Azure Sentinel to manage your alerting and threat-hunting for Azure DevOps among other Azure services in a unified system solution. For a starting point, you can look at the Azure Sentinel GitHub repository for some sample detections and threat hunting queries. Additionally, you can reach out to engage our security consultants who will be able to bring experience and expertise in using Azure Sentinel to deliver a more unified Microsoft based security solution.

Curious to learn more about DevOps?
Join Us on September 24, 2020 to a free webinar all about DevOps and its transformative capabilities.
Register Now

About the Author
Troy Micka is an Azure DevOps Consultant at New Signature, located in our Southeast United States region. Troy spends his time helping customers bring experience and expertise in using Azure DevOps to innovate faster and achieve more with Microsoft-based tooling.

Previous Tweet
New Signature
New Signature

It’s not too late! You can still catch us at 10:00 AM EDT for our How to Transform with #DevOps webinar. R...

Next Tweet
New Signature
New Signature

This week we’re coming to you with four reasons you should join us for our DevOps webinar on Thursday. Sep...