Application AppID Uri Configuration Changes

Oct 23, 2025 · attack.initial-access attack.defense-evasion attack.persistence attack.credential-access attack.privilege-escalation attack.t1552 attack.t1078.004 ·

Share on:

Detects when a configuration change is made to an applications AppID URI.

Sigma rule (View on GitHub)

 1title: Application AppID Uri Configuration Changes
 2id: 1b45b0d1-773f-4f23-aedc-814b759563b1
 3status: test
 4description: Detects when a configuration change is made to an applications AppID URI.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed
 7author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
 8date: 2022-06-02
 9tags:
10    - attack.initial-access
11    - attack.defense-evasion
12    - attack.persistence
13    - attack.credential-access
14    - attack.privilege-escalation
15    - attack.t1552
16    - attack.t1078.004
17logsource:
18    product: azure
19    service: auditlogs
20detection:
21    selection:
22        properties.message:
23            - Update Application
24            - Update Service principal
25    condition: selection
26falsepositives:
27    - When and administrator is making legitimate AppID URI configuration changes to an application. This should be a planned event.
28level: high

References

Microsoft Entra security operations for applications - Microsoft Entra

Learn how to monitor and alert on applications to identify security threats.

Read More

Application AppID Uri Configuration Changes

Sigma rule (View on GitHub)

References

Microsoft Entra security operations for applications - Microsoft Entra

Related rules