Techniques
Sample rules
Entra ID OAuth Application Redirect URI Modified
- source: elastic
- technicques:
- T1528
- T1556
Description
Identifies modifications to OAuth application redirect URIs (ReplyUrls) in Entra ID. Adding an attacker-controlled redirect URI to an existing trusted application allows interception of OAuth authorization codes when users authenticate through that application’s normal login flow, enabling token theft without requiring a new application registration or consent event.
Detection logic
data_stream.dataset: "azure.auditlogs" and
azure.auditlogs.operation_name: "Update application" and
event.outcome: ("Success" or "success") and
azure.auditlogs.properties.target_resources.*.modified_properties.*.display_name: "AppAddress"