Application AppID Uri Configuration Changes

Aug 12, 2024 · attack.persistence attack.credential-access attack.privilege-escalation attack.t1552 attack.t1078.004 ·

Detects when a configuration change is made to an applications AppID URI.

Sigma rule (View on GitHub)

 1title: Application AppID Uri Configuration Changes
 2id: 1b45b0d1-773f-4f23-aedc-814b759563b1
 3status: test
 4description: Detects when a configuration change is made to an applications AppID URI.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed
 7author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
 8date: 2022-06-02
 9tags:
10    - attack.persistence
11    - attack.credential-access
12    - attack.privilege-escalation
13    - attack.t1552
14    - attack.t1078.004
15logsource:
16    product: azure
17    service: auditlogs
18detection:
19    selection:
20        properties.message:
21            - Update Application
22            - Update Service principal
23    condition: selection
24falsepositives:
25    - When and administrator is making legitimate AppID URI configuration changes to an application. This should be a planned event.
26level: high

References

Microsoft Entra security operations for applications - Microsoft Entra

Learn how to monitor and alert on applications to identify security threats.

Read More

Application AppID Uri Configuration Changes

Sigma rule (View on GitHub)

References

Microsoft Entra security operations for applications - Microsoft Entra

Related rules