Auditing for Azure DevOps enables organization administrators to monitor and react to changes throughout their organizations. Today we are excited to announce that streaming for auditing is now available for all organizations as a public preview! Streaming allows audit data to be sent automatically to other locations for further processing. Sending auditing data to Security Incident and Event Management (SIEM) tools opens up exciting new possibilities such as alerting on specific events, creating powerful views on top of auditing data, and performing automated anomaly detection. It also allows you to store more than the 90-days’ worth of auditing data that Azure DevOps keeps.
The following stream targets are available to be configured:
Splunk – Connect to on-premises or cloud-based Splunk.
Azure Monitor Log – Send auditing logs to Azure Monitor Logs. Logs stored in Azure Monitor Logs can be queried and have alerts configured. You can also connect Azure Sentinel to your workspace.
Azure Event Grid – For scenarios where you want your auditing logs to be sent somewhere else, whether inside or outside of Azure, you can set up an Azure Event Grid connection.
Streaming can be found under Organization Settings if you are a Project Collection Administrator or have the Manage audit streams permission. For more information, see our documentation.
We’d love to hear your feedback as we continue to move towards making this feature generally available! You can share your thoughts directly with the product team using @AzureDevOps, Developer Community, or by commenting on this post.
Geat! It is a feature that I personally and a lot of customers I know were really expecting and waiting for!
We had our own workaround ( Audit Los Forwarding ), but now it is time to use built-in functionality.
Glad to hear this removes the need for the workaround! 🙂
Can you provide to which table in log analytics the auditlogs are send?
The table is called AzureDevOpsAuditing.
And what is your recommendation when we have multiple DevOps organizations in our company? Should we stream the logs into one single Azure Monitor workspace or each organization to a dedicated one?
@Tomasz – I’d recommend streaming them into one workspace. Each audit event has the organization name and unique ID. So, you can splice your queries to focus on a specific organization if you wish.
Another reason you would want to stream to one workspace is the ability to correlate/combine the results with different sources. Multiple workspaces might be a good idea when you have DevOps organizations that are hosted in different geographical locations to avoid data transfer cost or you would restrict the logs to a specific geographic location for compliance reasons.