frack113
25 lines
1.1 KiB
YAML
25 lines
1.1 KiB
YAML
title: Application URI Configuration Changes
|
|
id: 0055ad1f-be85-4798-83cf-a6da17c993b3
|
|
status: experimental
|
|
description: |
|
|
Detects when a configuration change is made to an applications URI.
|
|
URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.
|
|
references:
|
|
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes
|
|
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
|
|
date: 2022/06/02
|
|
tags:
|
|
- attack.t1528
|
|
- attack.persistence
|
|
- attack.credential_access
|
|
logsource:
|
|
product: azure
|
|
service: auditlogs
|
|
detection:
|
|
selection:
|
|
properties.message: Update Application Sucess- Property Name AppAddress
|
|
condition: selection
|
|
falsepositives:
|
|
- When and administrator is making legitimate URI configuration changes to an application. This should be a planned event.
|
|
level: high
|