Azure DevOps Release Auditing
In a previous post, I discussed using Azure DevOps to stream audit data to Log Analytics (Azure Monitor Log).
In this post, I am going to expand on how the Pipelines and Release Areas can be used. Imagine if you want anyone in the organization to be able to create a release, release pipeline, or a build pipeline, but you want to know the moment that they create it. Allowing for self-help is what DevOps is all about, “trust but verify” as the old saying goes.
Monitor Release Creation
To create a query that will display any release created, including the person that created it, use the following KQL query. Note, that I’m only projecting a few columns, there’s a lot more data that you can see if your remove the project line to view the raw data, my examples are giving the bare minimum information to show how easy that this information is to use.
AzureDevOpsAuditing
| where OperationName == 'Release.ReleaseCreated'
| project TimeGenerated, OperationName, ActorDisplayName, Details
| order by TimeGenerated
To test this query out, I will create a release in a release pipeline named Test-1.
Here you can see that the resulting release is name Release-1.
I want to track this event in Azure DevOps via the query from above. In the Results tab you can see that we’ve detected this event.
Creating an alert based on the query is pretty straight forward, see Log Alerts for more details.
Monitor Release Pipeline Creation
Even more critical than Release Creation is monitoring Release Pipeline Creation. Knowing who is creating pipelines in your company is not only important from a perspective of audits but for security in general. If a bad actor finds a way to create a release pipeline, release to production through that new pipeline, and then delete the pipeline, you will see it in the logs with this approach and will be alerted immediately when the release pipeline is created.
The query for this is very similar. The Only change is the OperationName changed from Release.ReleaseCreated to Release.ReleasePipelineCreated.
AzureDevOpsAuditing
| where OperationName == 'Release.ReleasePipelineCreated'
| project TimeGenerated, OperationName, ActorDisplayName, Details
| order by TimeGenerated
Here is an example, where I create a release pipeline named Test-2.
Below is the results of the query:
Monitor Build Pipeline Creation
Similar to the Release Pipeline Creation monitoring is Build Pipeline Creation monitoring. The query for this is:
AzureDevOpsAuditing
| where OperationName == 'Pipelines.PipelineCreated'
| project TimeGenerated, OperationName, ActorDisplayName, Details
| order by TimeGenerated
Here is an example, where I create a build pipeline for the Test-2 repository.
Below is the results of the query:
Monitor Approvals
This is a very important question to answer for audits, “Who approves you releases?” and “Are your pre/post release gates working?”. To answer that, you can use the following query (note, I’m also adjusting to US Central Time for simplicity). I also limit it to only the stage Prod (auditors don’t care about non-Production as much). You can modify this to your own stage names or take the where condition out and search all stages:
AzureDevOpsAuditing
| where Data.StageName == 'Prod'
| where Area == "Release" and OperationName == "Release.ApprovalCompleted"
| project ct_time = TimeGenerated -6h, ActorDisplayName, Data.PipelineName, Data.StageName, Data.ReleaseName, Details
| order by ct_time desc
Explore other Areas in AzureDevOpsAuditing
Hopefully this post has gotten you interested in what Azure DevOps Auditing streams can provide you. There are other Areas that can provide even more visibiity into what is going on in your Azure DevOps Services instance, like the Group, Policy, Git and many other Areas.
Let me know what you think of this article on twitter @Erpenbeck!