id: 9fb2ee72-959f-4c2b-bc38-483affc539e4
name: Application ID URI Changed
description: |
'Detects changes to an Application ID URI.
Monitor these changes to make sure that they were authorized.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed'
severity: Medium
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
- PrivilegeEscalation
relevantTechniques:
- T1078.004
tags:
- AADSecOpsGuide
query: |
AuditLogs
| where Category == "ApplicationManagement"
| where OperationName has_any ("Update Application", "Update Service principal")
| extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)
| extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend UpdatedBy = iif(isnotempty(appName), appName, UPN)
| extend mod_props = TargetResources[0].modifiedProperties
| extend AppName = tostring(TargetResources[0].displayName)
| mv-expand mod_props
| where mod_props.displayName has "AppIdentifierUri"
| extend OldURI = tostring(mod_props.oldValue)
| extend NewURI = tostring(mod_props.newValue)
| project-reorder TimeGenerated, OperationName, AppName, OldURI, NewURI, UpdatedBy
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UpdatedBy
- entityType: URL
fieldMappings:
- identifier: Url
columnName: NewURI
version: 1.0.0
kind: Scheduledcloudflare/Azure-Sentinel
Publicmirrored fromhttps://github.com/cloudflare/Azure-Sentinel
Detections/AuditLogs/ApplicationIDURIChanged.yaml
47lines · modepreview
Added new detections and hunting queries for the AAD Sec Ops Guide Removed URL localization from queries Repleaced incorrect 'scheduled' with 'Scheduled'9bcef98
3 years ago