← Library
sigmaDRL-1.1from SigmaHQ/sigma

Application AppID Uri Configuration Changes

Detects when a configuration change is made to an applications AppID URI.

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1552T1078.004
Rule sourcerules/cloud/azure/audit_logs/azure_app_appid_uri_changes.yml
title: Application AppID Uri Configuration Changes
id: 1b45b0d1-773f-4f23-aedc-814b759563b1
status: test
description: Detects when a configuration change is made to an applications AppID URI.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022-06-02
tags:
    - attack.initial-access
    - attack.defense-evasion
    - attack.persistence
    - attack.credential-access
    - attack.privilege-escalation
    - attack.t1552
    - attack.t1078.004
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message:
            - Update Application
            - Update Service principal
    condition: selection
falsepositives:
    - When and administrator is making legitimate AppID URI configuration changes to an application. This should be a planned event.
level: high