sigmahighHunting

Application AppID Uri Configuration Changes

Detects when a configuration change is made to an applications AppID URI.

MITRE ATT&CK

initial-accessdefense-evasionpersistencecredential-accessprivilege-escalation

Detection Query

selection:
  properties.message:
    - Update Application
    - Update Service principal
condition: selection

Author

Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'

Created

2022-06-02

Data Sources

azureauditlogs

Platforms

azure

References

https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed

Tags

attack.initial-accessattack.defense-evasionattack.persistenceattack.credential-accessattack.privilege-escalationattack.t1552attack.t1078.004

Raw Content

title: Application AppID Uri Configuration Changes
id: 1b45b0d1-773f-4f23-aedc-814b759563b1
status: test
description: Detects when a configuration change is made to an applications AppID URI.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022-06-02
tags:
    - attack.initial-access
    - attack.defense-evasion
    - attack.persistence
    - attack.credential-access
    - attack.privilege-escalation
    - attack.t1552
    - attack.t1078.004
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message:
            - Update Application
            - Update Service principal
    condition: selection
falsepositives:
    - When and administrator is making legitimate AppID URI configuration changes to an application. This should be a planned event.
level: high