cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Azure DevOps Service as ActorDisplayName in Sentinel Logs

msagrawal152360
Copper Contributor

‎Mar 06 2024 12:20 AM

‎Mar 06 2024 12:20 AM

Azure DevOps Service as ActorDisplayName in Sentinel Logs

Hello there,

While creating alerts for group membership update using AzureDevOpsAuditing table in Sentinel, we observed logs for user addition/removal from certain groups where ActorDisplayName displays "Azure DevOps Service". I believe this is a service and not a username/account.

On checking with the team doing these changes, they confirmed they haven't done such activity wherever displayname is this account. In what cases will the DisplayName be captured as "Azure DevOps Service"?

Labels:
451 Views
0 Likes
3 Replies
Reply
3 Replies
msagrawal152360

‎Mar 06 2024 01:21 AM

‎Mar 06 2024 01:21 AM

Re: Azure DevOps Service as ActorDisplayName in Sentinel Logs

Thank you for the revert @Clive_Watson. Yes, one if the groups is [Organization]\DirectoryServiceAddMember-XXXX-Group and the other group is [Organization]\Azure DevOps Licensed Users. As per the link you shared, the directory service group can be ignored. But what about the other one?






0 Likes
Reply
Clive_Watson

‎Mar 06 2024 03:06 AM

‎Mar 06 2024 03:06 AM

Re: Azure DevOps Service as ActorDisplayName in Sentinel Logs

Sorry that's where my knowledge ends...hopefully someone else can assist for that part
1 Like
Reply