Azure DevOps
Personal Access Token
Service Name: Azure DevOps
Service Description: Azure DevOps is a Microsoft product that provides version control, reporting, requirements management, project management, automated builds, testing and release management capabilities. It covers the entire application lifecycle and enables DevOps capabilities.
Service Address: https://dev.azure.com/
Validation Type: API Auth, NHI Enriched
IP Allow list: IP restrictions can be configured at the organization level through Azure DevOps security policies.
Secret Access Scope: Grants programmatic access to Azure DevOps resources and services based on the scopes defined during token creation (repositories, builds, work items, etc.).
Secret Revokement URL: https://dev.azure.com/{organization}/_usersSettings/tokens
Secret Example: 52nu7knpz6qbjtmdvxzogjtdwfmwbzrxgenwk3lf4tdenxad5xzq
Suspicious Activity Investigation Instructions:
- Review Azure DevOps audit logs for unusual API calls or resource access.
- Check for unauthorized repository clones, code changes, or pipeline executions.
- Monitor for unexpected project modifications or permission changes.
- Review access patterns and geographic locations of token usage.
- Check for unusual build or release pipeline modifications.
Mitigation Instructions:
- Navigate to Azure DevOps and go to your user profile (top right corner).
- Select "Personal access tokens" from the user settings menu.
- Find the compromised token in the list.
- Click on the "Revoke" button next to the token.
- Create a new token with appropriate scopes if needed.
- Review all repositories for unauthorized changes.
- Check pipeline configurations for unauthorized modifications.
- Review organization security policies and consider implementing IP restrictions.
- Consider enabling additional security features like conditional access policies if using Azure AD.