cloudflare/Azure-Sentinel
Publicmirrored fromhttps://github.com/cloudflare/Azure-Sentinel
Detections/AuditLogs/ApplicationRedirectURLUpdate.yaml
62lines · modecode
unknown
| 1 | id: a1080fc1-13d1-479b-8340-255f0290d96c |
| 2 | name: Application Redirect URL Update |
| 3 | description: | |
| 4 | 'Detects the redirect URL of an app being changed. |
| 5 | Applications associated with URLs not controlled by the organization can pose a security risk. |
| 6 | Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes' |
| 7 | severity: Medium |
| 8 | requiredDataConnectors: |
| 9 | - connectorId: AzureActiveDirectory |
| 10 | dataTypes: |
| 11 | - AuditLogs |
| 12 | queryFrequency: 1d |
| 13 | queryPeriod: 1d |
| 14 | triggerOperator: gt |
| 15 | triggerThreshold: 0 |
| 16 | tactics: |
| 17 | - Persistence |
| 18 | - PrivilegeEscalation |
| 19 | relevantTechniques: |
| 20 | - T1078.004 |
| 21 | tags: |
| 22 | - AADSecOpsGuide |
| 23 | query: | |
| 24 | AuditLogs |
| 25 | | where Category =~ "ApplicationManagement" |
| 26 | | where Result =~ "success" |
| 27 | | where OperationName =~ 'Update Application' |
| 28 | | mv-expand TargetResources |
| 29 | | mv-expand TargetResources.modifiedProperties |
| 30 | | where TargetResources_modifiedProperties.displayName =~ "AppAddress" |
| 31 | | extend Key = tostring(TargetResources_modifiedProperties.displayName) |
| 32 | | extend NewValue = TargetResources_modifiedProperties.newValue |
| 33 | | extend OldValue = TargetResources_modifiedProperties.oldValue |
| 34 | | where isnotempty(Key) and isnotempty(NewValue) |
| 35 | | project-reorder Key, NewValue, OldValue |
| 36 | | extend NewUrls = extract_all('"Address":([^,]*)', tostring(NewValue)) |
| 37 | | extend OldUrls = extract_all('"Address":([^,]*)', tostring(OldValue)) |
| 38 | | extend AddedUrls = set_difference(NewUrls, OldUrls) |
| 39 | | where array_length(AddedUrls) > 0 |
| 40 | | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == "User-Agent", tostring(AdditionalDetails[0].value), "") |
| 41 | | extend AddingUser = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), "") |
| 42 | | extend AddingApp = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)) , tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName), "") |
| 43 | | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingApp) |
| 44 | | project-away AddingApp, AddingUser |
| 45 | | extend AppDisplayName = tostring(TargetResources.displayName) |
| 46 | | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) |
| 47 | | project-reorder TimeGenerated, AppDisplayName, AddedUrls, AddedBy, UserAgent, ipAddress |
| 48 | entityMappings: |
| 49 | - entityType: URL |
| 50 | fieldMappings: |
| 51 | - identifier: Url |
| 52 | columnName: AddedUrls |
| 53 | - entityType: Account |
| 54 | fieldMappings: |
| 55 | - identifier: FullName |
| 56 | columnName: AddedBy |
| 57 | - entityType: IP |
| 58 | fieldMappings: |
| 59 | - identifier: Address |
| 60 | columnName: ipAddress |
| 61 | version: 1.0.0 |
| 62 | kind: Scheduled |