Which SIEM platforms have a THREAT-M365-SuspiciousOAuthConsent detection rule?

df00tech provides THREAT-M365-SuspiciousOAuthConsent (Suspicious OAuth Application Consent Grant in Microsoft 365) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the THREAT-M365-SuspiciousOAuthConsent detection?

The THREAT-M365-SuspiciousOAuthConsent detection is rated high severity with high confidence.

What are common false positives for THREAT-M365-SuspiciousOAuthConsent?

Common false positives for THREAT-M365-SuspiciousOAuthConsent include: IT administrators deploying approved third-party Microsoft 365 integrations (Slack, Zoom, Adobe, DocuSign) and granting required permissions; Users adding approved productivity apps from Microsoft AppSource that request standard permissions; Microsoft-published applications (Power Automate, Power BI) requesting permissions during initial setup.

THREAT-M365-SuspiciousOAuthConsent

Suspicious OAuth Application Consent Grant in Microsoft 365

Q: What data sources are required to detect Suspicious OAuth Application Consent Grant in Microsoft 365 (THREAT-M365-SuspiciousOAuthConsent)?

Detecting Suspicious OAuth Application Consent Grant in Microsoft 365 requires the following data sources: Azure AD Audit Logs (AuditLogs), Office 365 Unified Audit Log (OfficeActivity), Microsoft 365 Defender.

Credential Access Collection Last updated: April 27, 2026

Illicit OAuth consent grants are a persistent M365 attack vector where users are tricked into granting third-party applications excessive permissions to their Microsoft 365 data. Attackers register OAuth apps with convincing names ('HR Document Portal', 'Microsoft Security Update', 'Teams Bot') and send phishing emails directing users to 'consent' to the app. Once consented, the attacker's app has persistent API access (often with Mail.Read, Contacts.Read, Files.Read, or offline_access) without needing the user's credentials or bypassing MFA. Microsoft documented Storm-0558 and Midnight Blizzard using this technique. NCSC UK warns that illicit consent grants are particularly effective against SMBs because many lack admin consent workflows. Attackers can also use 'consent phishing' through OAuth apps registered in the same Entra ID tenant after initial compromise.

What is THREAT-M365-SuspiciousOAuthConsent Suspicious OAuth Application Consent Grant in Microsoft 365?

Suspicious OAuth Application Consent Grant in Microsoft 365 (THREAT-M365-SuspiciousOAuthConsent) maps to the Credential Access and Collection tactics — the adversary is trying to steal account names and passwords in MITRE ATT&CK.

This page provides production-ready detection logic for Suspicious OAuth Application Consent Grant in Microsoft 365, covering the data sources and telemetry it touches: Azure AD Audit Logs (AuditLogs), Office 365 Unified Audit Log (OfficeActivity), Microsoft 365 Defender. The queries below are rated high severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Credential Access Collection

Microsoft Sentinel / Defender

kusto

// THREAT: Suspicious OAuth Application Consent Grant
// Detects illicit OAuth consent grants in Microsoft 365 / Entra ID
// Primary telemetry: Azure AD Audit Logs, O365 audit logs

// Alert 1: High-privilege OAuth application consent grants
let SensitivePermissions = dynamic([
  "Mail.Read", "Mail.ReadWrite", "Mail.Send",
  "Mail.ReadBasic.All", "MailboxSettings.ReadWrite",
  "Files.Read.All", "Files.ReadWrite.All",
  "Contacts.Read", "Contacts.ReadWrite",
  "User.Read.All", "User.ReadWrite.All",
  "Group.Read.All", "Directory.Read.All",
  "offline_access", "Calendars.ReadWrite",
  "Sites.Read.All", "Sites.ReadWrite.All"
]);
AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName has_any ("Consent to application", "Add app role assignment to service principal",
    "Add delegated permission grant", "Add OAuth2PermissionGrant")
| where Result =~ "success"
| extend AppName = tostring(TargetResources[0].displayName)
| extend GrantedPermissions = tostring(AdditionalDetails)
| extend ConsentorIP = tostring(InitiatedBy.user.ipAddress)
| extend ConsentorUPN = tostring(InitiatedBy.user.userPrincipalName)
| where GrantedPermissions has_any (SensitivePermissions)
    or OperationName has "admin consent"
| project TimeGenerated, OperationName, AppName, ConsentorUPN,
    ConsentorIP, GrantedPermissions, TargetResources
| extend ThreatType = "OAuthConsent_SensitivePermissions";
// Alert 2: First-time application consent (new app never seen before in tenant)
let KnownApps = AuditLogs
| where TimeGenerated between (ago(90d) .. ago(1d))
| where OperationName has "Consent to application"
| extend AppId = tostring(TargetResources[0].id)
| distinct AppId;
AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName has "Consent to application"
| extend AppId = tostring(TargetResources[0].id)
| extend AppName = tostring(TargetResources[0].displayName)
| where AppId !in~ (KnownApps)
| project TimeGenerated, AppName, AppId, InitiatedBy, TargetResources
| extend ThreatType = "OAuthConsent_NewUnseenApplication"

Dual OAuth consent detection: (1) consent grants that include sensitive permissions (Mail.Read, Files.Read.All, offline_access) — these are the permissions attackers seek to maintain persistent email and file access; (2) consents to applications not seen in the tenant in the past 90 days — first-time app consents from non-admin users are a common illicit consent grant pattern. Both should trigger review against Microsoft AppSource or your internal app registry.

high severity high confidence

Data Sources

Azure AD Audit Logs (AuditLogs) Office 365 Unified Audit Log (OfficeActivity) Microsoft 365 Defender

Required Tables

AuditLogs OfficeActivity

False Positives

IT administrators deploying approved third-party Microsoft 365 integrations (Slack, Zoom, Adobe, DocuSign) and granting required permissions
Users adding approved productivity apps from Microsoft AppSource that request standard permissions
Microsoft-published applications (Power Automate, Power BI) requesting permissions during initial setup
Internal developers registering apps for legitimate automation workflows

Elastic Security (EQL)

eql

any where event.dataset == "azure.auditlogs"
  and event.action in~ (
    "Consent to application",
    "Add delegated permission grant",
    "Add OAuth2PermissionGrant",
    "Add app role assignment to service principal"
  )
  and event.outcome == "success"
  and (
    azure.auditlogs.properties.additional_details : (
      "*Mail.Read*", "*Mail.ReadWrite*", "*Mail.Send*",
      "*Files.Read.All*", "*Files.ReadWrite.All*",
      "*offline_access*", "*Directory.Read.All*",
      "*User.Read.All*", "*User.ReadWrite.All*",
      "*Contacts.Read*", "*Contacts.ReadWrite*",
      "*Sites.Read.All*", "*Sites.ReadWrite.All*",
      "*MailboxSettings.ReadWrite*", "*Calendars.ReadWrite*",
      "*Group.Read.All*", "*Mail.ReadBasic.All*"
    )
    or event.action in~ ("Add app role assignment to service principal")
    or azure.auditlogs.properties.additional_details : "*admin consent*"
  )

Detects illicit OAuth consent grants in Azure AD / Entra ID where users or administrators grant third-party applications sensitive API permissions covering mail, files, contacts, calendar, and directory access. Covers consent phishing techniques attributed to Storm-0558 and Midnight Blizzard threat actors. A secondary hunting angle targets first-time application consents by joining against a 90-day baseline of previously seen app IDs.

high severity high confidence

Data Sources

Azure Active Directory Audit Logs via Elastic Azure integration Microsoft Entra ID Audit Logs Azure Monitor Diagnostic Logs forwarded to Elastic

Required Tables

azure.auditlogs

False Positives

Legitimate IT-sanctioned enterprise application deployments where administrators intentionally grant broad OAuth permissions to approved productivity or security tools such as Salesforce, Workday, or ServiceNow M365 connectors
Microsoft first-party or rebranded applications appearing as new consents during tenant migrations, license tier upgrades, or Microsoft Entra policy changes that require re-consent
Automated provisioning workflows including Azure DevOps service principals and Power Automate connectors legitimately requesting delegated or application permissions as part of CI/CD pipeline setup

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(startTime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  username AS ConsentorUPN,
  sourceip AS ConsentorIP,
  QIDNAME(qid) AS OperationName,
  "deviceCustomString1" AS AppName,
  "deviceCustomString3" AS PermissionsGranted,
  CATEGORYNAME(category) AS CategoryName,
  magnitude
FROM events
WHERE LOGSOURCETYPEID(devicetype) = 413
  AND (
    LOWER(QIDNAME(qid)) = 'consent to application'
    OR LOWER(QIDNAME(qid)) = 'add delegated permission grant'
    OR LOWER(QIDNAME(qid)) = 'add oauth2permissiongrant'
    OR LOWER(QIDNAME(qid)) = 'add app role assignment to service principal'
  )
  AND (
    "deviceCustomString3" ILIKE '%Mail.Read%'
    OR "deviceCustomString3" ILIKE '%Mail.ReadWrite%'
    OR "deviceCustomString3" ILIKE '%Mail.Send%'
    OR "deviceCustomString3" ILIKE '%Mail.ReadBasic.All%'
    OR "deviceCustomString3" ILIKE '%Files.Read.All%'
    OR "deviceCustomString3" ILIKE '%Files.ReadWrite.All%'
    OR "deviceCustomString3" ILIKE '%offline_access%'
    OR "deviceCustomString3" ILIKE '%Directory.Read.All%'
    OR "deviceCustomString3" ILIKE '%User.Read.All%'
    OR "deviceCustomString3" ILIKE '%User.ReadWrite.All%'
    OR "deviceCustomString3" ILIKE '%Contacts.Read%'
    OR "deviceCustomString3" ILIKE '%Contacts.ReadWrite%'
    OR "deviceCustomString3" ILIKE '%Sites.Read.All%'
    OR "deviceCustomString3" ILIKE '%Sites.ReadWrite.All%'
    OR "deviceCustomString3" ILIKE '%MailboxSettings.ReadWrite%'
    OR "deviceCustomString3" ILIKE '%Calendars.ReadWrite%'
    OR "deviceCustomString3" ILIKE '%Group.Read.All%'
    OR LOWER(QIDNAME(qid)) = 'add app role assignment to service principal'
  )
ORDER BY startTime DESC
LAST 24 HOURS

Detects suspicious OAuth application consent grants in Microsoft Azure AD / Entra ID by querying for consent and permission-grant operations that include sensitive API permission scopes. LOGSOURCETYPEID 413 corresponds to the Microsoft Azure Active Directory DSM in QRadar. Targets permissions associated with persistent email, file, and directory access used in Storm-0558 and Midnight Blizzard consent phishing campaigns.

high severity medium confidence

Data Sources

Microsoft Azure Active Directory DSM (LOGSOURCETYPEID 413) Azure Monitor Logs forwarded to QRadar via Syslog or Azure Event Hub Microsoft Office 365 DSM for unified audit log events

Required Tables

events

False Positives

Enterprise application deployments by IT where administrators intentionally grant broad OAuth permissions to approved productivity or security tools during onboarding or integration setup
Automated provisioning via Azure DevOps or infrastructure-as-code pipelines creating service principals with application-level permissions to Exchange Online or SharePoint
Periodic re-consent workflows triggered by Microsoft after permission scope changes, Conditional Access policy updates, or tenant-wide admin consent policy enforcement changes

Sumo Logic CSE

sql

_sourceCategory=azure/aad/audit OR _sourceCategory=azure/active_directory/audit
| json field=_raw "operationName" as OperationName nodrop
| json field=_raw "result" as Result nodrop
| where OperationName in (
    "Consent to application",
    "Add delegated permission grant",
    "Add OAuth2PermissionGrant",
    "Add app role assignment to service principal"
  )
| where Result = "success"
| json field=_raw "targetResources[0].displayName" as AppName nodrop
| json field=_raw "targetResources[0].id" as AppId nodrop
| json field=_raw "initiatedBy.user.userPrincipalName" as ConsentorUPN nodrop
| json field=_raw "initiatedBy.user.ipAddress" as ConsentorIP nodrop
| json field=_raw "additionalDetails" as AdditionalDetails nodrop
| where matches(AdditionalDetails, "(?i)(Mail\.Read|Mail\.ReadWrite|Mail\.Send|Mail\.ReadBasic\.All|Files\.Read\.All|Files\.ReadWrite\.All|offline_access|Directory\.Read\.All|User\.Read\.All|User\.ReadWrite\.All|Contacts\.Read|Contacts\.ReadWrite|Sites\.Read\.All|Sites\.ReadWrite\.All|MailboxSettings\.ReadWrite|Calendars\.ReadWrite|Group\.Read\.All)")
  OR OperationName = "Add app role assignment to service principal"
| count as ConsentEvents by ConsentorIP, AppName, AppId, ConsentorUPN, OperationName
| sort by ConsentEvents desc
| fields ConsentorIP, AppName, AppId, ConsentorUPN, OperationName, ConsentEvents

Detects illicit OAuth consent grants in Microsoft Azure Active Directory / Entra ID where users or admins grant third-party applications sensitive M365 API permissions. Parses Azure AD audit log JSON to extract app identity, consenting user, and permission scopes. Surfaces consent phishing patterns used by Storm-0558 and Midnight Blizzard, including bulk consent events from a single IP and app role assignment grants.

high severity high confidence

Data Sources

Azure Active Directory Audit Logs via Sumo Logic Azure source collector Microsoft 365 Unified Audit Logs forwarded to Sumo Logic Sumo Logic Cloud SIEM Enterprise (CSE) with Azure AD normalized records

Required Tables

azure/aad/audit azure/active_directory/audit

False Positives

Legitimate deployment of approved enterprise OAuth applications by IT administrators that require broad permissions for business functionality such as backup, DLP, or archiving solutions
ISV software integrations connecting to Microsoft 365 during product trials or onboarding where the vendor's app requests standard delegated scopes
Microsoft-published applications being consented for the first time after new tenant policies, license changes, or Copilot feature roll-outs that require explicit admin consent

Google Chronicle / SecOps

yaral

rule suspicious_oauth_consent_grant_m365 {
  meta:
    author = "Detection Engineering"
    description = "Detects illicit OAuth consent grants with sensitive API permissions in Microsoft 365 / Entra ID — covers Storm-0558 and Midnight Blizzard consent phishing"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1098.003"
    false_positives = "Legitimate IT-sanctioned app deployments, ISV onboarding, Microsoft first-party app consent"
    reference = "https://www.microsoft.com/security/blog/2023/09/07/microsoft-mitigates-china-based-threat-actor-storm-0558"

  events:
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    $e.metadata.product_name = "Azure Active Directory"
    $e.metadata.product_event_type in nocase (
      "Consent to application",
      "Add delegated permission grant",
      "Add OAuth2PermissionGrant",
      "Add app role assignment to service principal"
    )
    $e.security_result.action = "ALLOW"
    (
      re.regex(
        $e.target.resource.attribute.labels["permissions"],
        `(?i)(Mail\.Read|Mail\.ReadWrite|Mail\.Send|Mail\.ReadBasic\.All|Files\.Read\.All|Files\.ReadWrite\.All|offline_access|Directory\.Read\.All|User\.Read\.All|User\.ReadWrite\.All|Contacts\.Read|Contacts\.ReadWrite|Sites\.Read\.All|Sites\.ReadWrite\.All|MailboxSettings\.ReadWrite|Calendars\.ReadWrite|Group\.Read\.All)`
      ) or
      re.regex($e.metadata.product_event_type, `(?i)admin\s+consent`) or
      $e.metadata.product_event_type = "Add app role assignment to service principal"
    )
    $user = $e.principal.user.email_addresses[0]
    $app = $e.target.application
    $src_ip = $e.principal.ip

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting illicit OAuth application consent grants in Microsoft 365 and Entra ID. Matches consent and delegation grant events where sensitive API permission scopes covering mail, files, contacts, calendar, or directory are granted to a third-party or newly registered OAuth application. Targets persistent API-access patterns attributed to Storm-0558 and Midnight Blizzard that bypass MFA by operating entirely through OAuth tokens.

high severity high confidence

Data Sources

Azure Active Directory Audit Logs ingested into Chronicle via Google Cloud Log Ingestion Microsoft 365 Unified Audit Log via Chronicle M365 ingestion Entra ID sign-in and audit events via Chronicle Azure AD parser

Required Tables

azure_ad

False Positives

Legitimate enterprise application deployments where IT administrators intentionally consent to broad permissions for approved internal or third-party SaaS tools including CASB, archiving, and eDiscovery platforms
Automated CI/CD pipeline service principal grants for DevOps tooling accessing SharePoint Online or Exchange Online as part of infrastructure automation
Microsoft-published first-party applications such as Teams, Viva, or Microsoft 365 Copilot receiving admin consent during new feature activation or license expansion events

CrowdStrike LogScale (CQL)

cql

#type=azure_ad_audit_log
| OperationName in values=[
    "Consent to application",
    "Add delegated permission grant",
    "Add OAuth2PermissionGrant",
    "Add app role assignment to service principal"
  ]
| Result="success"
| test(
    regex("(?i)(Mail\\.Read|Mail\\.ReadWrite|Mail\\.Send|Mail\\.ReadBasic\\.All|Files\\.Read\\.All|Files\\.ReadWrite\\.All|offline_access|Directory\\.Read\\.All|User\\.Read\\.All|User\\.ReadWrite\\.All|Contacts\\.Read|Contacts\\.ReadWrite|Sites\\.Read\\.All|Sites\\.ReadWrite\\.All|MailboxSettings\\.ReadWrite|Calendars\\.ReadWrite|Group\\.Read\\.All)",
    field=AdditionalDetails)
  OR OperationName="Add app role assignment to service principal"
)
| groupBy(
    [ConsentorIP, AppName, ConsentorUPN],
    function=[
      count(as=ConsentEvents),
      collect([OperationName, AdditionalDetails, AppId], limit=20)
    ]
  )
| sort(ConsentEvents, order=desc)
| ConsentEvents > 0
| ThreatType := "SuspiciousOAuth_ConsentGrant"
| ThreatActors := "Storm-0558, Midnight Blizzard"

CrowdStrike Falcon LogScale (Humio CQL) query detecting illicit OAuth consent grants in Azure Active Directory / Entra ID. Correlates consent and delegation grant operations where sensitive API permission scopes are assigned to OAuth applications, aggregated by consenting IP and user to surface bulk or anomalous consent activity. Covers TTPs attributed to Storm-0558 and Midnight Blizzard persistent access via OAuth token abuse.

high severity medium confidence

Data Sources

Azure Active Directory Audit Logs forwarded to CrowdStrike Falcon LogScale via Azure Event Hub Microsoft 365 Unified Audit Logs ingested into Falcon LogScale CrowdStrike Falcon Identity Protection Azure AD telemetry

Required Tables

azure_ad_audit_log

False Positives

IT-sanctioned enterprise application onboarding where administrators intentionally consent to broad OAuth permission scopes for business-critical integrations such as backup, compliance, or CASB solutions
OAuth re-consent flows triggered by Microsoft tenant policy updates, Conditional Access enforcement changes, or permission scope modifications to existing trusted applications
Development and test environments where developers register OAuth applications and grant broad scopes during integration testing or pre-production validation cycles

Sigma rule & cross-platform mapping

The detection logic for Suspicious OAuth Application Consent Grant in Microsoft 365 (THREAT-M365-SuspiciousOAuthConsent) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  product: azure

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for THREAT-M365-SuspiciousOAuthConsent Sigma rules on detection.fyi

Platform-specific guides for THREAT-M365-SuspiciousOAuthConsent

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-27 Research depth: deep

References (2)

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Illicit OAuth Consent Grant Simulation
Expected signal: Azure AD Audit log records 'Consent to application' event with Mail.Read, offline_access, and Files.Read.All permissions for the test user.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for THREAT-M365-SuspiciousOAuthConsent including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Suspicious OAuth Application Consent Grant in Microsoft 365

What is THREAT-M365-SuspiciousOAuthConsent Suspicious OAuth Application Consent Grant in Microsoft 365?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for THREAT-M365-SuspiciousOAuthConsent

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hubs

Parent Technique

Related Techniques

Same Tactic: Credential Access

Popular Detections

What is THREAT-M365-SuspiciousOAuthConsent Suspicious OAuth Application Consent Grant in Microsoft 365?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for THREAT-M365-SuspiciousOAuthConsent

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Parent Technique

Related Techniques

Same Tactic: Credential Access

Popular Detections

Get new detections in your inbox