Shift-Left in security has been a trend for awhile and the reason for that is, that automated CI/CD pipelines are tempting breach points for hackers. Unprotected CI/CD pipeline is easy and tempting route into production environment and can cause some serious issues. One way to improve security is to monitor our pipelines for an unwanted changes. Azure DevOps has some great tools for implementing the DevSecOps policies, but I think they are a bit hidden. Let’s see what Azure DevOps Audit can do for us.
Azure DevOps Audit
Azure DevOps has a great feature called “Log Audit Events”. The feature is disabled by default, but you can enable it from Organization > Security > Policies tab.
Just by enabling the Log Audit Events you can get nice overview of what is happening inside your DevOps organization. After enabling the feature, hit refresh in your browser and then click Auditing menu from left. After a while Azure DevOps should start showing some audit events. In sample picture below I have modified build and release pipelines and also viewed the Auditing tab. All of these actions are listed in logs.
But manually checking logs is not enough for us! We want automated alert if someone is messing with our precious pipelines. To do that we need to stream audit logs into Azure Log Analytics and then we can use the alerts feature at Log Analytics.
Stream Logs into Log Analytics
Let’s start setup by clicking the Streams tab in Auditing page. On the right we have button called “New stream“, which allows us to connect the Azure DevOps into Azure Monitor Logs (Log Analytics).
The stream requires two settings which are Workspace Id and Shared Key. If you don’t have any existing Log Analytics in Azure you need to first create one. Then open the Log Analytic from Azure Portal and click the “Agents management” tab. From there you can find the Workspace Id and Shared Key. Fill the values into Azure DevOps and click setup from bottom right.
After a short while you should start receiving events into Log Analytics. The events are stored into AzureDevOpsAuditing table. Here is the list of fields that are available in logs:
Now we can use Log Analytics Alerts feature to trigger alerts from what ever action we like to. For example we could create query about pipeline changes (OperationName contains PipelineModified), whitelist some users that we can do changes, but time restriction into whitelisting and then make email/slack/teams notification about pipeline changes.
Summary
Auditing pipelines is one part of Shift-Left DevSecOps. We want to protect our pipelines, because they usually have connections into production and test environments and they are tempting way to import malware into our environments. You can also use the auditing to just monitor the current usage of Azure DevOps: How many builds we are doing a week? How many different users are using the project? What are the peak hours of usage? Use Log Analytics graphs to visualize stats.
To learn more about Azure DevOps audit logs check Microsoft documentation.