This detection rule is designed to identify and alert on changes to the AppID URI configurations of applications within the Azure environment. The rule listens specifically for audit log events that indicate an update to either an application or its service principal. It focuses on detecting unauthorized or unexpected changes that may signify malicious activities such as privilege escalation or ongoing persistence attacks. The criteria for triggering this rule is based on the presence of specific messages in the audit logs—namely 'Update Application' or 'Update Service principal'. Given its focus on critical application configurations, the rule is deemed to have a high severity level, indicating the importance of timely alerting on potential security threats. False positives may occur during legitimate administrative changes, which are expected to be planned events. This underscores the need for effective monitoring of the environment to discern genuine threats from routine changes.