"Azure DevOps Personal Access Token (PAT) misuse" rule - allow list?

Question

Hi All&nbsp;This is probably an easy one, but I cannot seem to locate how to do this.&nbsp;I have a number of false-positives in Sentinel relating to the Analytics Rule "Azure DevOps Personal Access Token (PAT) misuse" - where I know the entity (User and IP).&nbsp;How do I configure some kind of 'allow list' to stop getting these alerts?&nbsp;ThanksDarren

clive_watson · Answer

That Alert has an Allowed List https://github.com/Azure/Azure-Sentinel/blob/08a8d2b9c5c9083e341be447773a34b56b205dee/Detections/AzureDevOpsAuditing/AzDOPatSessionMisuse.yaml you need to edit the rule and add your email to the line

let AllowlistedUpns = datatable(UPN:string)['foo@bar.com', 'test@foo.com'];

e.g.

let AllowlistedUpns = datatable(UPN:string)['foo@bar.com', 'test@foo.com','clive@fakeemail.com'];

Forum Discussion

"Azure DevOps Personal Access Token (PAT) misuse" rule - allow list?

1 Reply