KQL Search

Query Details

AR 004 Burst O Auth Consent Grants

Query

id: d4e5f607-0004-4162-b234-ddeeff001122
name: Burst of OAuth Consent Grants by a Single Actor
description: |
  Alerts when a single user or application performs five or more OAuth consent
  or permission-grant operations within a one-hour window. This is characteristic
  of automated consent-phishing campaigns where a compromised account is used to
  grant attacker-controlled apps access to mailboxes, files, or directory objects
  across the organization. It is also a signal from tools such as ROADtools and
  TokenTactics when they enumerate or abuse delegation chains in bulk.

  Reference: TokenTactics https://github.com/rvrsh3ll/TokenTactics
             ROADtools     https://github.com/dirkjanm/ROADtools
severity: High
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AuditLogs
queryFrequency: 1h
queryPeriod: 2h
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
  - CredentialAccess
  - Persistence
relevantTechniques:
  - T1528
  - T1098.001
query: |
  // --- Configurable ---
  let ConsentThreshold = 5;
  // --------------------
  AuditLogs
  | where TimeGenerated > ago(2h)
  | where ActivityDisplayName in (
      "Consent to application",
      "Add delegated permission grant",
      "Add app role assignment to service principal",
      "Remove delegated permission grant")
  | extend InitiatedByUPN = tostring(InitiatedBy.user.userPrincipalName)
  | extend InitiatedByApp = tostring(InitiatedBy.app.displayName)
  | extend Actor          = iff(isnotempty(InitiatedByUPN), InitiatedByUPN, InitiatedByApp)
  | extend TargetApp      = tostring(TargetResources[0].displayName)
  | summarize
      ConsentCount   = count(),
      AppsActedOn    = make_set(TargetApp, 20),
      Operations     = make_set(ActivityDisplayName),
      FirstEvent     = min(TimeGenerated),
      LastEvent      = max(TimeGenerated),
      CorrelationIds = make_set(CorrelationId, 5)
      by Actor, InitiatedByUPN, bin(TimeGenerated, 1h)
  | where ConsentCount >= ConsentThreshold
  | extend DurationMinutes = datetime_diff('minute', LastEvent, FirstEvent)
  | extend RatePerMinute   = round(toreal(ConsentCount) / iff(DurationMinutes == 0, 1.0, toreal(DurationMinutes)), 2)

entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: InitiatedByUPN

customDetails:
  ConsentCount: ConsentCount
  DurationMinutes: DurationMinutes
  AppsActedOn: AppsActedOn

alertDetailsOverride:
  alertDisplayNameFormat: "Burst OAuth consent activity: {{ConsentCount}} consent operations by {{Actor}} in 1 hour"
  alertDescriptionFormat: "Actor {{Actor}} performed {{ConsentCount}} OAuth consent/permission-grant operations in {{DurationMinutes}} minutes, affecting apps: {{AppsActedOn}}. This may indicate automated consent-phishing or token enumeration."

suppressionDuration: PT2H
suppressionEnabled: false
version: 1.0.0
kind: Scheduled

Explanation

This query is designed to detect suspicious activity related to OAuth consent grants within an organization. Here's a simplified explanation:

  • Purpose: The query identifies when a single user or application performs five or more OAuth consent or permission-grant operations within a one-hour period. This behavior is often associated with automated attacks, such as consent-phishing campaigns, where attackers use compromised accounts to give their applications access to sensitive data like emails, files, or directory objects.

  • How it Works:

    • The query looks at audit logs from the past two hours.
    • It filters for specific activities related to granting or removing permissions to applications.
    • It identifies the actor (either a user or an application) who initiated these actions.
    • It counts the number of consent operations performed by each actor and checks if it meets or exceeds the threshold of five operations within an hour.
    • If the threshold is met, it calculates the duration and rate of these operations.

  • Alert Details:

    • If suspicious activity is detected, an alert is generated with details such as the number of operations, the time taken, and the applications affected.
    • The alert is labeled as high severity due to its potential link to credential access and persistence tactics used by attackers.

  • Additional Information:

    • The query references tools like ROADtools and TokenTactics, which can be used in such attacks.
    • It includes mappings to identify the account involved and provides custom details for further investigation.

Overall, this query helps security teams quickly identify and respond to potential security threats involving unauthorized access through OAuth consent grants.

Details

David Alonso profile picture

David Alonso

Released: April 6, 2026

Tables

AuditLogs

Keywords

AuditLogsAzureActiveDirectoryOAuthConsentUserApplicationMailboxesFilesDirectoryObjectsAccountAppsServicePrincipalCorrelationId

Operators

letagointostringiffisnotemptysummarizecountmake_setminmaxbindatetime_diffroundtoreal

Actions