Title:Application URI Configuration Changes Status:test Description:Detects when a configuration change is made to an applications URI.
URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.
References: -https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes Author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' Date: 2022-06-02 modified:None Tags:
-'attack.t1528'
-'attack.t1078.004'
-'attack.persistence'
-'attack.credential-access'
-'attack.privilege-escalation'
Logsource:
product: azure
service: auditlogs
Detection: selection: properties.message:
'Update Application Sucess- Property Name AppAddress' condition:selection Falsepositives:
-When and administrator is making legitimate URI configuration changes to an application. This should be a planned event. Level:high
