Azure DevOps audit Correlation with Agent pool Runner Events

Mohammad Shahin 0 Reputation points
2024-03-28T08:58:35.67+00:00

Hi,

I am creating some detections specifically for the scope of pipeline agent pool runners, I have a couple of agent pools, each pool consists of many agents (host1, host2, host3), these agents have Defender for Endpoint running on them.

I have Azure DevOps auditing enabled with the below categories

Execute

Modify

Remove

Create

I identified a couple of use cases that can be a sign of malicious activity and I created the needed detection. But, the detection is only as useful as its context, so I need to correlate events happening on the agent runner (e.g host5 in below figure) with the pipeline that ran on this machine and specify the the runId that executed these actions.

Was trying to correlate these events using AzureDevOpsAuditing events but these don't contain any information about the agent.

Is there anyway to achieve this correlation? Any specific auditing config that I can enable to see such information?

Image

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
36,002 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. ManoharLakkoju 535 Reputation points Microsoft Vendor
    2024-03-28T12:36:13.0733333+00:00

    @Mohammad Shahin
    Welcome to Microsoft Q&A Platform, thanks for posting your query here. Azure DevOps related queries/issues are currently not supported on this Microsoft Q&A platform.

    I would request you to please post your queries in dedicated forums as in below links:

    https://developercommunity.visualstudio.com/spaces/21/index.html

    https://developercommunity.visualstudio.com/t/get-unique-id-from-devops-organization/756710

    https://stackoverflow.com/questions/tagged/azure-devops

    0 comments