Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Hunting query that identifies Entra ID application registrations and updates where one or more redirect URIs (reply URLs) point to an external domain that is not a trusted Microsoft endpoint, localhost, or a standard OAuth out-of-band value. An attacker who can register or modify an application may add an attacker-controlled redirect URI to intercept OAuth authorization codes and exchange them for access tokens without user interaction after consent is granted. Trusted prefixes excluded by this
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | Standalone Content |
| ID | c4e0baf0-283b-49d7-8b40-a1c72e92a4b2 |
| Tactics | CredentialAccess |
| Techniques | T1528 |
| Required Connectors | AzureActiveDirectory |
| Source | [View on GitHub](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/AuditLogs/AppRegistrationWithExternalRedirectUri.yaml) |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊