Application AppID Uri Configuration Changes

Detects when a configuration change is made to an applications AppID URI.

Sigma rule (View on GitHub)

 1title: Application AppID Uri Configuration Changes
 2id: 1b45b0d1-773f-4f23-aedc-814b759563b1
 3status: test
 4description: Detects when a configuration change is made to an applications AppID URI.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed
 7author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
 8date: 2022/06/02
 9tags:
10    - attack.persistence
11    - attack.credential_access
12    - attack.privilege_escalation
13    - attack.t1552
14    - attack.t1078.004
15logsource:
16    product: azure
17    service: auditlogs
18detection:
19    selection:
20        properties.message:
21            - Update Application
22            - Update Service principal
23    condition: selection
24falsepositives:
25    - When and administrator is making legitimate AppID URI configuration changes to an application. This should be a planned event.
26level: high

References

Related rules

to-top