The KQL queries in this folder can be used as part of threat hunting rules or scheduled analytic rules within Microsoft Sentinel.
ADOKitPersistence.kql
This query will show when a PAT or SSH key has been created with ADOKit.
ADOKitUsage.kql
This query will show when any auditable event is performed (e.g., adding user to group) with ADOKit.
ADOAdminGroupAdditions.kql
This is an update to this Sentinel analytic rule logic. The update includes setting MonitorAllProjects to true, so that all projects are monitored for any additions to the Project Administrators group.
ADOPATMisuse.kql
This is an update to this Sentinel analytic rule logic. The update includes adding the authentication mechanism of UserAuthToken.
ADOPersistenceTechniqueDetected.kql
This is a new KQL query to show when an SSH key or PAT has been created.
NewPAPCAPCASaddedtoADO.kql
This is an update to this Sentinel analytic rule logic. The update includes the addition of Project Collection Build Administrators, as well as fixing a bug in the detection when adding a user to the Build Administrators group.