Azure DevOps PAT
Service Name: Azure DevOps
Service Description: Azure DevOps is a Microsoft product that provides version control, reporting, requirements management, project management, automated builds, testing and release management capabilities.
Service Address: https://dev.azure.com/
Validation Type: NHI Enriched API Auth
IP Allow list: Does not exist
Secret Access Scope: Grants access to Azure DevOps resources based on the scopes defined when the token was created. This can include code repositories, build pipelines, work items, and more.
Secret Revokement URL: https://dev.azure.com/{organization}/_usersSettings/tokens
Secret Example: vsts_pat_52characters_long_token_with_alphanumeric_characters
Suspicious Activity Investigation Instructions:
- Review Azure DevOps audit logs for unusual activity
- Check for unauthorized repository clones or downloads
- Look for unexpected build pipeline executions
- Verify no unauthorized users have been added to projects
- Examine project settings for unexpected changes
Mitigation Instructions:
- Immediately revoke the compromised token through the Azure DevOps portal
- Navigate to your Azure DevOps organization settings
- Go to Personal Access Tokens section
- Find the compromised token and select "Revoke"
- Create a new token with appropriate scopes if needed
- Review all recent activities performed with the compromised token
- Update any systems or CI/CD pipelines that were using the token