Azure application URI modification

Cortex XDR Analytics Alert Reference by data source

Last date published: 2024-04-15
Order: data source

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: AzureAD Audit Log
Detection Modules	Identity Threat Module
ATT&CK Tactic	Defense Evasion (TA0005) Persistence (TA0003)
ATT&CK Technique	Account Manipulation (T1098) Use Alternate Authentication Material (T1550)
Severity	Low

Description

An identity added or updated an Azure application's URI.

Attacker's Goals

An attacker may add certificates or modify authentication methods of an application to authenticate as the application.

Investigative actions

Check whether the account that modified the URI is supposed to perform such actions.
Check for possible logins from the application modified.
Check for possible account consents or credential changes regarding the application.
Follow further actions done by the application.