Forum Discussion
Azure DevOps Service as ActorDisplayName in Sentinel Logs
Hello there,
While creating alerts for group membership update using AzureDevOpsAuditing table in Sentinel, we observed logs for user addition/removal from certain groups where ActorDisplayName displays "Azure DevOps Service". I believe this is a service and not a username/account.
On checking with the team doing these changes, they confirmed they haven't done such activity wherever displayname is this account. In what cases will the DisplayName be captured as "Azure DevOps Service"?
- Is one of the groups this one, in which case you can ignore?
https://learn.microsoft.com/en-us/azure/devops/organizations/audit/azure-devops-auditing?view=azure-devops&tabs=preview-page#q-what-is-the-directoryserviceaddmember-group-and-why-is-it-appearing-on-the-audit-log
Also if you use Entra (AAD) then please check: https://learn.microsoft.com/en-us/azure/devops/organizations/audit/azure-devops-auditing?view=azure-devops&tabs=preview-page#limitations- Thank you for the revert Clive_Watson. Yes, one if the groups is [Organization]\DirectoryServiceAddMember-XXXX-Group and the other group is [Organization]\Azure DevOps Licensed Users. As per the link you shared, the directory service group can be ignored. But what about the other one?
- Sorry that's where my knowledge ends...hopefully someone else can assist for that part
