Skip to content

Azure DevOps PAT

Service Name: Azure DevOps

Service Description: Azure DevOps is a Microsoft product that provides version control, reporting, requirements management, project management, automated builds, testing and release management capabilities.

Service Address: https://dev.azure.com/

Validation Type: NHI Enriched API Auth

IP Allow list: Does not exist

Secret Access Scope: Grants access to Azure DevOps resources based on the scopes defined when the token was created. This can include code repositories, build pipelines, work items, and more.

Secret Revokement URL: https://dev.azure.com/{organization}/_usersSettings/tokens

Secret Example: vsts_pat_52characters_long_token_with_alphanumeric_characters

Suspicious Activity Investigation Instructions:

  • Review Azure DevOps audit logs for unusual activity
  • Check for unauthorized repository clones or downloads
  • Look for unexpected build pipeline executions
  • Verify no unauthorized users have been added to projects
  • Examine project settings for unexpected changes

Mitigation Instructions:

  • Immediately revoke the compromised token through the Azure DevOps portal
  • Navigate to your Azure DevOps organization settings
  • Go to Personal Access Tokens section
  • Find the compromised token and select "Revoke"
  • Create a new token with appropriate scopes if needed
  • Review all recent activities performed with the compromised token
  • Update any systems or CI/CD pipelines that were using the token