Upd Tactics/Techniques, combined hunting folder

Detections/AzureDevOpsAuditing/AzDOAdminGroupAdditions.yaml

@@ -6,27 +6,22 @@ requiredDataConnectors:
   - connectorId: AzureMonitor
     dataTypes:
       - AzureDevOpsAuditing
-severity: High
+severity: Medium
 queryFrequency: 4h
 queryPeriod: 4h
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
   - Persistence
-  - PrivilegeEscalation
 relevantTechniques:
   - T1098
 query: |
 
   let timeframe = 4h;
   // Change to true to monitor for Project Administrator adds to *any* project
-  let MontiorAllProjects = false;
+  let MonitorAllProjects = false;
   // If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects
-  let ProjectsToMonitor = datatable(ProjectName:string)
-  [
-  'ProjectA',
-  'ProjectC'
-  ];
+  let ProjectsToMonitor = dynamic(['<project_X>','<project_Y>']);
   AzureDevOpsAuditing
   | where TimeGenerated >= ago(timeframe)
   | where Area == "Group" and OperationName == "Group.UpdateGroupMembership.Add"
@@ -35,7 +30,7 @@ query: |
   | parse Details with AddedIdentity ' was added as a member of group [' EntityName ']\\' GroupName
   | extend Level = iif(GroupName == 'Project Collection Administrators', 'Organization', 'Project'), AddedIdentityId = Data.MemberId
   | extend Severity = iif(Level == 'Organization', 'High', 'Medium'), AlertDetails = strcat('At ', TimeGenerated, ' UTC ', ActorUPN, '/', ActorDisplayName, ' added ', AddedIdentity, ' to the ', EntityName, ' ', Level)
-  | where (MontiorAllProjects == true or EntityName in (ProjectsToMonitor)) or Level == 'Organization'
+  | where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == 'Organization'
   | project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism, 
     ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details
   | extend timestamp = TimeGenerated, AccountCustomEntity = Adder, IPCustomEntity = ActorIpAddress

Detections/AzureDevOpsAuditing/AzDOHistoricPrPolicyBypassing.yaml

@@ -12,9 +12,7 @@ queryPeriod: 14d
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
-  - Execution
-  - Impact
-  - PrivilegeEscalation
+  - Persistence
 relevantTechniques:
   - T1098
 query: |
@@ -22,7 +20,7 @@ query: |
   let starttime = 14d;
   let endtime = 3h;
   // Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users
-  let AuthorizedBypassers = datatable(UPN:string)['foo@baz.com', 'test@foo.com'];
+  let AuthorizedBypassers = dynamic(['foo@baz.com', 'test@foo.com']);
   let historicBypassers = AzureDevOpsAuditing
   | where TimeGenerated between (ago(starttime) .. ago(endtime))
   | where OperationName == 'Git.RefUpdatePoliciesBypassed'

Detections/AzureDevOpsAuditing/AzDOHistoricServiceConnectionAdds.yaml

@@ -7,19 +7,17 @@ requiredDataConnectors:
   - connectorId: AzureMonitor
     dataTypes:
       - AzureDevOpsAuditing
-severity: High
+severity: Medium
 queryFrequency: 6h
 queryPeriod: 14d
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
-  - Execution
+  - Persistence
   - Impact
-  - PrivilegeEscalation
 relevantTechniques:
   - T1098
-  - T1527
-  - T1003
+  - T1496
 query: |
 
   let starttime = 14d;

Detections/AzureDevOpsAuditing/AzDOPatSessionMisuse.yaml

@@ -1,7 +1,8 @@
 id: ac891683-53c3-4f86-86b4-c361708e2b2b
 name: Azure DevOps Personal Access Token (PAT) misuse
 description: |
-  'Description: This Alert detects whenever a PAT is used in ways that PATs are not normally used.  May require Allowlisting and baselining.
+  'This Alert detects whenever a PAT is used in ways that PATs are not normally used.  May require Allowlisting and baselining.
+  Reference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=preview-page
   Use this query for baselining:
   AzureDevOpsAuditing
   | distinct OperationName'
@@ -19,6 +20,7 @@ tactics:
   - Impact
 relevantTechniques:
   - T1528
+  - T1496
 query: |
 
   let timeframe = 3d;

Detections/AzureDevOpsAuditing/AzDOServiceConnectionUsage.yaml

@@ -1,24 +1,24 @@
 id: d564ff12-8f53-41b8-8649-44f76b37b99f
 name: Azure DevOps Service Conection Abuse
 description: |
-  'This detection flags builds/releases that use a large number of service connections if they aren't manually allowlisted.
-  This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.'
+  'Flags builds/releases that use a large number of service connections if they aren't manually allowlisted.
+  This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse 
+  or dump credentials from service connections.'
 requiredDataConnectors:
   - connectorId: AzureMonitor
     dataTypes:
       - AzureDevOpsAuditing
-severity: High
+severity: Medium
 queryFrequency: 1d
 queryPeriod: 14d
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
-  - Execution
+  - Persistence
   - Impact
 relevantTechniques:
   - T1098
-  - T1527
-  - T1003
+  - T1496
 query: |
 
   let timeframe = 14d;

Hunting Queries/AzureDevOps/AzDODisplayNameSwapping.yaml

@@ -1,23 +0,0 @@
-id: cf0c493b-a8af-4b32-8c7e-d4303f3a406f
-name: Azure DevOps Display Name Changes
-description: |
-  'Description:  Shows all users with more than 1 display name in recent history.  This is to hunt for users maliciously changing their display name as a masquerading technique'
-requiredDataConnectors:
-  - connectorId: AzureMonitor
-    dataTypes:
-      - AzureDevOpsAuditing
-tactics:
-  - Evasion
-  - PrivilegeEscalation
-  - Social
-relevantTechniques:
-  - T1098
-  - T1036
-query: |
-
-  let timeframe = 14d;
-  AzureDevOpsAuditing
-  | where TimeGenerated > ago(timeframe)
-  | where ActorCUID != '00000000-0000-0000-0000-000000000000' and ActorDisplayName != "Azure DevOps User"
-  | summarize dcount(ActorDisplayName), make_set(ActorDisplayName) by ActorCUID
-  | where dcount_ActorDisplayName > 1;

Hunting Queries/AzureDevOpsAuditing/AzDODisplayNameSwapping.yaml

@@ -0,0 +1,23 @@
+id: cf0c493b-a8af-4b32-8c7e-d4303f3a406f
+name: Azure DevOps Display Name Changes
+description: |
+  'Shows all users with more than 1 display name in recent history.  This is to hunt for users maliciously changing their display name as a masquerading technique'
+requiredDataConnectors:
+  - connectorId: AzureMonitor
+    dataTypes:
+      - AzureDevOpsAuditing
+tactics:
+  - Persistence
+  - DefenseEvasion
+relevantTechniques:
+  - T1098
+  - T1036
+query: |
+
+  let timeframe = 14d;
+  AzureDevOpsAuditing
+  | where TimeGenerated > ago(timeframe)
+  | where ActorCUID != '00000000-0000-0000-0000-000000000000' and ActorDisplayName != "Azure DevOps User"
+  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DisplayNameCount = dcount(ActorDisplayName), ActorDisplayNames = make_set(ActorDisplayName), make_set(IpAddress), make_set(ProjectName) by ActorCUID, ActorUPN
+  | where DisplayNameCount > 1
+  | extend timestamp = StartTime, AccountCustomEntity = ActorUPN

Hunting Queries/AzureDevOpsAuditing/AzDOPrPolicyBypassers.yaml

@@ -1,7 +1,7 @@
 id: df205daf-fcf3-4b95-a7fd-043b70f6c209
 name: Azure DevOps Pull Request Policy Bypassing
 description: |
-  'Description:  Looks for users bypassing Update Policies in repos'
+  'Looks for users bypassing Update Policies in repos'
 requiredDataConnectors:
   - connectorId: AzureMonitor
     dataTypes:
@@ -12,6 +12,8 @@ relevantTechniques:
   - T1098
 query: |
 
+  let timeframe = 7d;
   AzureDevOpsAuditing
-  | where 
-    OperationName == 'Git.RefUpdatePoliciesBypassed'
+  | where TimeGenerated >= ago(timeframe)
+  | where OperationName == 'Git.RefUpdatePoliciesBypassed'
+  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress