Azure Azure DevOps KQL,KUSTO Sentinel

Azure Sentinel – Detect Service Connection use outside of pipeline

During the work on Azure AD – Attack and Defense Playbook (1) there was rather nice byproduct – a simple, yet effective query for detecting potential misuse of SPN (service connection) related to Azure DevOps pipelines.

The analytic works to detect a scenario where access token for service Principal is used from different origin than it was requested from, and maps it with entity mapping to the resources and accounts.

(1) Azure AD - Attack and Defense Playbook is community collaboration project. Check the Contributors

Following the attackers path – Azure Sentinel Analytics

Azure Sentinel Analytics has one really cool feature which we are using here, Entity Mapping (read about entity mapping) – Entity mapping allows us to create graph for the attackers path showing affected resources)


The alert uses following entities AzureResourceID, Account and process (process is only used to surface the action on ActivityLog – it’s not directly meant for this use case, but maps nicely the operations performed on Azure Resource Manager.


Account allows us to track the actions performed by Azure Devops connection with its objectId across multiple logs ( in a single view! )


Azure ResourceID allows us to track all events for the resources which were part of the attackers path

Query and analytics rule

Query is meant to use in access token lifetime period, to uphold the correlation. I did not do extensive QA for it, but once I kicked the poisoned pipeline, it certainly alerted me 🙂

| extend parsedClaims = parse_json(Claims_d)
| extend appid = tostring(parsedClaims.appid)
| extend activityResource = tostring(parsedClaims.aud)
| extend activityCor = CorrelationId
| join kind=inner AADServicePrincipalSignInLogs on $left.appid == $right.AppId
| project TimeInActivityLog = TimeGenerated, TimeInSPNLog = TimeGenerated1, ServicePrincipalId,  OperationNameValue, ipActivity = CallerIpAddress, ipfromSpn= IPAddress,
appid, ResourceDisplayName, activityResource, tostring(parse_json(Authorization).evidence.role), _ResourceId
| where ipActivity != ipfromSpn
Click image for full version

End of blog

Azure Sentinel Entity mapping is total game changer for me. Will be looking forward to any new developments in this space.

0 comments on “Azure Sentinel – Detect Service Connection use outside of pipeline


Täytä tietosi alle tai klikkaa kuvaketta kirjautuaksesi sisään:

Olet kommentoimassa -tilin nimissä. Log Out /  Muuta )


Olet kommentoimassa Twitter -tilin nimissä. Log Out /  Muuta )


Olet kommentoimassa Facebook -tilin nimissä. Log Out /  Muuta )

Muodostetaan yhteyttä palveluun %s

%d bloggaajaa tykkää tästä: