when and administrator is making legitimate uri configuration changes to an application. this should be a planned event.

t1078
t1078.004
t1528
azure
sigma

Techniques

t1078
t1078.004
t1528

Sample rules

Application URI Configuration Changes

source: sigma
technicques:
- t1078
- t1078.004
- t1528

Description

Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.

Detection logic

condition: selection
selection:
  properties.message: Update Application Sucess- Property Name AppAddress