title: Application AppID Uri Configuration Changes
id: 1b45b0d1-773f-4f23-aedc-814b759563b1
description: Detects when a configuration change is made to an applications AppID URI. 
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022/06/02
references:
  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed
logsource:
  product: azure
  service: auditlogs
detection:
  selection:
    properties.message: 
      - Update Application
      - Update Service principal
  condition: selection
falsepositives:
  - When and administrator is making legitmate AppID URI configuration changes to an application. This should be a planned event.
level: high
status: experimental
tags: 
  - attack.t1528
  - attack.persistence
  - attack.credential_access