Microsoft Sentinel can currently be integrated with two different source control platforms (still in Preview) – Azure DevOps and GitHub. This allows you to manage Microsoft Sentinel resources such as analytic rules, hunting queries, playbooks and more via code. A very usefull option, especially if you have multiple customers to manage, for example as MMSP or as a large organization. There is also a great playbook available for designing Microsoft Sentinel as a MSSP. Follow this link to get the playbook as pdf file (latest version from November 2022).
However, if you want to integrate Azure DevOps into Microsoft Sentinel, you need to configure some prerequisites. In general, it is straigth forward. Make sure you have the following configured before you start the create a new connection wizard under Repositories (Preview) in Sentinel:
– Your Azure DevOps organization
– At least one Azure DevOps Project with a logical name
– A reopsitory where you can store your code
– And an inizialzed repo with, for example a main branch
During th connection setup I was facing some errors in some tenants. The error was:
Error while creating connection.Error: Error while performing Azure DevOps repository fetch. Details: [TF400813: The user is not authorized to access this resource. ], Correlation ID: 826b7a23-dcbe-xyzy-8f9c-d1f2a4f327e3
Microsoft Sentinel uses OAuth for authenicatiing with Azure DevOps. By default, Azure DevOps does not anymore allow 3rd party apps to connect on new organizations, For DevOps, Sentinel is a 3rd party app. This means, you need to allow OAuth 3rd party apps in Azure DevOps via OAuth.
An extract from Microsoft Learn
Third-party application via OAuth – Enable third-party applications to access resources in your organization through OAuth. This policy is defaulted to off for all new organizations. If you want access to third-party applications, enable this policy to make sure these apps can gain access to resources in your organization.”
When you deny access to an authentication method, no application can access your organization through this method. Any application that previously had access will get authentication errors and no longer have access to your organization.
To fix the error “Error while creating connection“, login as an organization admin to your DevOps Org, then select Security, select Policies, look for Application connection policies and toggle Third-party application via OAuth to On. Retry to configure the connection within Microsoft Sentinel to Azure DevOps.
More content on that topic:
– Change application connection & security policies for your organization