From fd5eb53e1d3a7de1535192a6fab2ff5d7e1bc9ce Mon Sep 17 00:00:00 2001
From: Mark Morowczynski <markmoro@microsoft.com>
Date: Thu, 2 Jun 2022 09:46:23 -0700
Subject: [PATCH] Create azure_app_appid_uri_changes.yml

Adding AppID URI changes check
---
 .../azure/azure_app_appid_uri_changes.yml     | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 rules/cloud/azure/azure_app_appid_uri_changes.yml

diff --git a/rules/cloud/azure/azure_app_appid_uri_changes.yml b/rules/cloud/azure/azure_app_appid_uri_changes.yml
new file mode 100644
index 000000000..1a765db8c
--- /dev/null
+++ b/rules/cloud/azure/azure_app_appid_uri_changes.yml
@@ -0,0 +1,24 @@
+title: Application AppID Uri Configuration Changes
+id: 1b45b0d1-773f-4f23-aedc-814b759563b1
+description: Detects when a configuration change is made to an applications AppID URI. 
+author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
+date: 2022/06/02
+references:
+  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed
+logsource:
+  product: azure
+  service: auditlogs
+detection:
+  selection:
+    properties.message: 
+      - Update Application
+      - Update Service principal
+  condition: selection
+falsepositives:
+  - When and administrator is making legitmate AppID URI configuration changes to an application. This should be a planned event.
+level: high
+status: experimental
+tags: 
+  - attack.t1528
+  - attack.persistence
+  - attack.credential_access