title: Application URI Configuration Changes
id: 0055ad1f-be85-4798-83cf-a6da17c993b3
description: Detects when a configuration change is made to an applications URI. 
  URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app,
  or URIs that point to domains you do not control should be investigated.   
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022/06/02
references:
  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes
logsource:
  product: azure
  service: auditlogs
detection:
  selection:
    properties.message: Update Application Sucess- Property Name AppAddress
  condition: selection
falsepositives:
  - When and administrator is making legitmate URI configuration changes to an application. This should be a planned event. 
level: high
status: experimental
tags: 
  - attack.t1528
  - attack.persistence
  - attack.credential_access