Burst of OAuth Consent Grants by a Single Actor
AR 004 Burst O Auth Consent Grants
Query
// --- Configurable ---
let ConsentThreshold = 5;
// --------------------
AuditLogs
| where TimeGenerated > ago(2h)
| where ActivityDisplayName in (
"Consent to application",
"Add delegated permission grant",
"Add app role assignment to service principal",
"Remove delegated permission grant")
| extend InitiatedByUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatedByApp = tostring(InitiatedBy.app.displayName)
| extend Actor = iff(isnotempty(InitiatedByUPN), InitiatedByUPN, InitiatedByApp)
| extend TargetApp = tostring(TargetResources[0].displayName)
| summarize
ConsentCount = count(),
AppsActedOn = make_set(TargetApp, 20),
Operations = make_set(ActivityDisplayName),
FirstEvent = min(TimeGenerated),
LastEvent = max(TimeGenerated),
CorrelationIds = make_set(CorrelationId, 5)
by Actor, InitiatedByUPN, bin(TimeGenerated, 1h)
| where ConsentCount >= ConsentThreshold
| extend DurationMinutes = datetime_diff('minute', LastEvent, FirstEvent)
| extend RatePerMinute = round(toreal(ConsentCount) / iff(DurationMinutes == 0, 1.0, toreal(DurationMinutes)), 2)Explanation
This query is designed to detect suspicious activity related to OAuth consent grants within an organization. Here's a simplified explanation:
-
Purpose: The query identifies when a single user or application performs five or more OAuth consent or permission-grant operations within a one-hour period. This behavior is often associated with automated attacks, such as consent-phishing campaigns, where attackers use compromised accounts to give their applications access to sensitive data like emails, files, or directory objects.
-
How it Works:
- The query looks at audit logs from the past two hours.
- It filters for specific activities related to granting or removing permissions to applications.
- It identifies the actor (either a user or an application) who initiated these actions.
- It counts the number of consent operations performed by each actor and checks if it meets or exceeds the threshold of five operations within an hour.
- If the threshold is met, it calculates the duration and rate of these operations.
-
Alert Details:
- If suspicious activity is detected, an alert is generated with details such as the number of operations, the time taken, and the applications affected.
- The alert is labeled as high severity due to its potential link to credential access and persistence tactics used by attackers.
-
Additional Information:
- The query references tools like ROADtools and TokenTactics, which can be used in such attacks.
- It includes mappings to identify the account involved and provides custom details for further investigation.
Overall, this query helps security teams quickly identify and respond to potential security threats involving unauthorized access through OAuth consent grants.
Details

David Alonso
Released: April 6, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 2h