This rule aims to detect unauthorized or suspicious changes to an application's Uniform Resource Identifier (URI) configuration within Azure audit logs. Specifically, it looks for properties indicating updates to the application address. Change scenarios such as using dangling URIs, non-HTTPS URIs, wildcard conditions in domain names, non-unique URIs recorded for a specific application, and URIs pointing to uncontrolled domains should trigger scrutiny. Such changes can represent security risks and may indicate attack scenarios like credential theft, unauthorized access, or privilege escalation. The detection mechanism is built around monitoring log entries for updates labeled as 'Update Application Success - Property Name AppAddress'. False positives are likely when administrators perform legitimate URI updates as part of normal application maintenance or configuration changes, which are considered planned events. Therefore, the rule operates under the assumption that most application URI changes are legitimate unless they match the aforementioned suspicious criteria.