Forum Discussion
"Azure DevOps Personal Access Token (PAT) misuse" rule - allow list?
Hi All This is probably an easy one, but I cannot seem to locate how to do this. I have a number of false-positives in Sentinel relating to the Analytics Rule "Azure DevOps Personal Access To...
That Alert has an Allowed List https://github.com/Azure/Azure-Sentinel/blob/08a8d2b9c5c9083e341be447773a34b56b205dee/Detections/AzureDevOpsAuditing/AzDOPatSessionMisuse.yaml you need to edit the rule and add your email to the line
let AllowlistedUpns = datatable(UPN:string)['foo@bar.com', 'test@foo.com'];
e.g.
let AllowlistedUpns = datatable(UPN:string)['foo@bar.com', 'test@foo.com','clive@fakeemail.com'];
let AllowlistedUpns = datatable(UPN:string)['foo@bar.com', 'test@foo.com'];
e.g.
let AllowlistedUpns = datatable(UPN:string)['foo@bar.com', 'test@foo.com','clive@fakeemail.com'];