Elastic Security Detection Rules

Entra ID OAuth Application Redirect URI Modified

Last updated a month ago on 2026-05-20
Created a month ago on 2026-05-20

About

Identifies modifications to OAuth application redirect URIs (ReplyUrls) in Entra ID. Adding an attacker-controlled redirect URI to an existing trusted application allows interception of OAuth authorization codes when users authenticate through that application's normal login flow, enabling token theft without requiring a new application registration or consent event.
Tags
Domain: CloudDomain: IdentityData Source: AzureData Source: Microsoft Entra IDData Source: Microsoft Entra ID Audit LogsUse Case: Identity and Access AuditTactic: PersistenceTactic: Credential AccessLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

Modify Authentication Process (T1556)(external, opens in a new tab or window)

Credential Access (TA0006)(external, opens in a new tab or window)

Steal Application Access Token (T1528)(external, opens in a new tab or window)

False Positive Examples
Developers adding localhost redirect URIs for local development environments. CI/CD pipelines updating production redirect URIs during deployment. Application owners adding redirect URIs for new platform support.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-azure.auditlogs-*
Related Integrations

azure(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset: "azure.auditlogs" and
azure.auditlogs.operation_name: "Update application" and
event.outcome: ("Success" or "success") and
azure.auditlogs.properties.target_resources.*.modified_properties.*.display_name: "AppAddress"

Install detection rules in Elastic Security

Detect Entra ID OAuth Application Redirect URI Modified in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).