Application URI Configuration Changes

Oct 17, 2023 · attack.t1528 attack.t1078.004 attack.persistence attack.credential_access attack.privilege_escalation ·

Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.

Sigma rule (View on GitHub)

 1title: Application URI Configuration Changes
 2id: 0055ad1f-be85-4798-83cf-a6da17c993b3
 3status: test
 4description: |
 5    Detects when a configuration change is made to an applications URI.
 6    URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.    
 7references:
 8    - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes
 9author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
10date: 2022/06/02
11tags:
12    - attack.t1528
13    - attack.t1078.004
14    - attack.persistence
15    - attack.credential_access
16    - attack.privilege_escalation
17logsource:
18    product: azure
19    service: auditlogs
20detection:
21    selection:
22        properties.message: Update Application Sucess- Property Name AppAddress
23    condition: selection
24falsepositives:
25    - When and administrator is making legitimate URI configuration changes to an application. This should be a planned event.
26level: high

References

Microsoft Entra security operations for applications - Microsoft Entra

Learn how to monitor and alert on applications to identify security threats.

Read More

Application URI Configuration Changes

Sigma rule (View on GitHub)

References

Microsoft Entra security operations for applications - Microsoft Entra

Related rules