Application URI Configuration Changes

Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.

Sigma rule (View on GitHub)

 1title: Application URI Configuration Changes
 2id: 0055ad1f-be85-4798-83cf-a6da17c993b3
 3status: test
 4description: |
 5    Detects when a configuration change is made to an applications URI.
 6    URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.    
 7references:
 8    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes
 9author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
10date: 2022/06/02
11tags:
12    - attack.t1528
13    - attack.t1078.004
14    - attack.persistence
15    - attack.credential_access
16    - attack.privilege_escalation
17logsource:
18    product: azure
19    service: auditlogs
20detection:
21    selection:
22        properties.message: Update Application Sucess- Property Name AppAddress
23    condition: selection
24falsepositives:
25    - When and administrator is making legitimate URI configuration changes to an application. This should be a planned event.
26level: high

References

Related rules

to-top