index.html

<!doctype html>
<html lang="en">
<head>
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <title>OAuthSentry - OAuth application intelligence for defenders</title>
  <meta name="description" content="Search OAuth Application IDs across Microsoft Entra, Google Workspace and more. Three classification feeds for defenders: compliance, risky, and malicious. Includes investigation playbooks, forensic traces, and Splunk detections.">
  <meta name="theme-color" content="#0a0b10">

  <link rel="icon" type="image/png" sizes="32x32" href="assets/img/favicon-32.png">
  <link rel="icon" type="image/png" sizes="16x16" href="assets/img/favicon-16.png">
  <link rel="icon" type="image/png" sizes="48x48" href="assets/img/favicon-48.png">
  <link rel="apple-touch-icon" sizes="180x180" href="assets/img/favicon-180.png">
  <link rel="shortcut icon" href="assets/img/favicon.ico">

  <link rel="preconnect" href="https://fonts.googleapis.com">
  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
  <link href="https://fonts.googleapis.com/css2?family=IBM+Plex+Sans:wght@400;500;600&family=JetBrains+Mono:wght@400;500;600;700&display=swap" rel="stylesheet">

  <link rel="stylesheet" href="assets/css/style.css">
</head>
<body>

  <header class="topbar">
    <div class="shell topbar-inner">
      <div class="brand">
        <a href="#/search" data-route="/search" style="display:flex;align-items:center;gap:12px;">
          <span class="brand-mark" aria-hidden="true"></span>
          OAuthSentry
        </a>
        <span class="tag">OAuth APP INTEL FOR DEFENDERS</span>
      </div>
      <nav class="nav" id="topnav">
        <a href="#/search" data-route="/search">Search</a>
        <a href="#/investigation/tradecraft" data-route="/investigation">Investigation</a>
        <a href="#/triage" data-route="/triage">Triage</a>
        <a href="#/tokens" data-route="/tokens">Token decoder</a>
        <a href="#/submit" data-route="/submit">Submit</a>
        <a href="#/api" data-route="/api">API</a>
        <a href="#/feeds" data-route="/feeds">Feeds</a>
        <a href="#/methodology" data-route="/methodology">Methodology</a>
        <a href="https://github.com/oauthsentry/oauthsentry.github.io" target="_blank" rel="noopener">GitHub &#8599;</a>
      </nav>
    </div>
  </header>

  <main id="app">

    <!-- ============ SEARCH PAGE ============ -->
    <section id="page-search">
      <div class="hero">
        <div class="shell">
          <h1>OAuth application <span class="accent">intelligence</span></h1>
          <p class="lede">
            Search any OAuth Application ID across identity platforms. Triage in one click: legitimate references for allowlisting, OAuth apps abused by threat actors, and known-malicious applications observed in BEC, AiTM and consent-phishing campaigns.
          </p>
          <div class="hero-stats">
            <div class="stat"><div class="label">Total tracked</div><div class="value" id="stat-total">...</div></div>
            <div class="stat compliance"><div class="label">Compliance</div><div class="value" id="stat-compliance">...</div></div>
            <div class="stat risky"><div class="label">Risky</div><div class="value" id="stat-risky">...</div></div>
            <div class="stat malicious"><div class="label">Malicious</div><div class="value" id="stat-malicious">...</div></div>
          </div>
        </div>
      </div>

      <section class="search-section">
        <div class="shell">
          <div class="search-shell">
            <span class="prompt" aria-hidden="true">&gt;</span>
            <input id="search" type="search"
                   placeholder="search by app id, app name, threat actor, or scope - press / to focus"
                   autocomplete="off" autocapitalize="off" autocorrect="off" spellcheck="false">
            <button class="share" id="share-btn" type="button" title="copy a shareable URL of this query">share</button>
            <button class="clear" id="clear" type="button">clear</button>
          </div>

          <div class="filters">
            <span class="filter-label">category</span>
            <button class="chip on" data-category="all">all</button>
            <button class="chip" data-category="compliance">compliance</button>
            <button class="chip" data-category="risky">risky</button>
            <button class="chip" data-category="malicious">malicious</button>
          </div>

          <div class="filters">
            <span class="filter-label">severity</span>
            <button class="chip on" data-severity="all">all</button>
            <button class="chip" data-severity="critical">critical</button>
            <button class="chip" data-severity="high">high</button>
            <button class="chip" data-severity="medium">medium</button>
            <button class="chip" data-severity="low">low</button>
            <button class="chip" data-severity="info">info</button>
          </div>

          <div class="filters" id="services-bar">
            <span class="filter-label">service</span>
            <button class="chip on" data-service="all">all</button>
          </div>

          <div class="filters">
            <span class="filter-label">source</span>
            <select class="chip" id="source-filter" aria-label="filter by reference source">
              <option value="all">all sources</option>
            </select>
            <span class="filter-label">last seen</span>
            <select class="chip" id="year-filter" aria-label="filter by last-seen year">
              <option value="all">any year</option>
            </select>
            <button class="chip" id="has-comment" data-toggle="off" type="button">analyst notes only</button>
          </div>

          <div class="results-meta" id="results-meta">
            <span><strong>-</strong> results</span>
            <span><button class="reset" id="reset-filters" type="button">reset filters</button></span>
          </div>

          <div id="results" class="results">
            <div class="loading">loading data sources</div>
          </div>
        </div>
      </section>
    </section>

    <!-- ============ INVESTIGATION PAGE ============ -->
    <section id="page-investigation" hidden>
      <div class="shell">
        <div style="padding-top: 48px;">
          <div class="pretitle" style="font-family: var(--font-display); font-size: 11px; text-transform: uppercase; letter-spacing: 0.16em; color: var(--text-faint); margin-bottom: 16px; display: flex; align-items: center; gap: 10px;">
            <span style="width: 28px; height: 1px; background: var(--accent);"></span>
            Investigation playbooks
          </div>
          <h1 style="font-family: var(--font-display); font-size: clamp(30px, 4vw, 44px); font-weight: 700; letter-spacing: -0.02em; margin: 0 0 16px; line-height: 1.1;">Run an OAuth abuse case<br>from <span style="color: var(--accent);">consent</span> to closure.</h1>
          <p style="max-width: 720px; color: var(--text-dim); font-size: 16px; margin: 0 0 36px;">
            Three operator-grade playbooks built for SOC, IR and threat hunters: how to evict a malicious app from a tenant, where to find every forensic trace it leaves behind, and how to detect the next one before consent is granted.
          </p>
        </div>

        <nav class="subtabs" id="invest-subtabs">
          <a href="#/investigation/tradecraft"   data-route="/investigation/tradecraft" class="active">Entra: Tradecraft</a>
          <a href="#/investigation/remediation"  data-route="/investigation/remediation">Entra: Remediation</a>
          <a href="#/investigation/forensics"    data-route="/investigation/forensics">Entra: Forensic traces</a>
          <a href="#/investigation/detections"   data-route="/investigation/detections">Entra: Detections</a>
          <a href="#/investigation/hunting"      data-route="/investigation/hunting">Entra: Hunting</a>
          <a href="#/investigation/hardening"    data-route="/investigation/hardening">Entra: Hardening</a>
          <a href="#/investigation/google"       data-route="/investigation/google">Google Workspace (beta)</a>
          <a href="#/investigation/github"       data-route="/investigation/github">GitHub (beta)</a>
        </nav>

        <!-- ===== Tradecraft ===== -->
        <div class="invest-section" id="sub-tradecraft">
          <div class="doc-block">
            <h2>OAuth attack tradecraft against Entra ID</h2>
            <p class="doc-lede">A field guide to how attackers actually use OAuth against Microsoft tenants in 2024-2026, organised by phase. Every technique here has been documented in public incident reports - the references are linked. Read it as the attacker's playbook so the rest of this tab (forensics, detections, hunting) makes sense in context.</p>

            <div class="callout">
              <strong>Two modern shifts to internalise</strong>
              First: the centre of gravity has moved from "phish a password and bypass MFA" to <strong>steal or mint a token</strong>. Tokens survive password resets, expire on their own clock, and bypass MFA by design. Second: attackers prefer <strong>legitimate first-party Microsoft apps</strong> (VSCode, Authentication Broker, Azure CLI, Teams) to malicious app registrations - first-party apps are pre-consented in every tenant, can't be blocked, and don't trip "new OAuth app" alerts.
            </div>

            <h3><span class="num">1</span> Initial access - getting a token in the first place</h3>

            <h4>Consent phishing (classic)</h4>
            <p>Attacker registers a multi-tenant app in their own tenant, sends a consent URL to the victim. Victim clicks, authenticates against the real Microsoft login, accepts the consent prompt. Service principal is created in the victim's tenant; attacker now has a refresh token. Highest-volume variant; aggregated lists are the basis of OAuthSentry's malicious feed.</p>
            <ul>
              <li>Common scopes requested: <code>Mail.Read</code>, <code>Mail.ReadWrite</code>, <code>Files.Read.All</code>, <code>offline_access</code>, <code>User.Read</code>.</li>
              <li>Homoglyph display names (Cyrillic <code>о</code> instead of Latin <code>o</code> in "OneDrive") are common - 9 entries in the Entra dataset are confirmed homoglyph apps, preserved verbatim as IOCs.</li>
              <li>Real campaigns: Wiz's 2025 campaign (19 apps spoofing OneDrive/DocuSign/Adobe), RH-ISAC/Proofpoint MFA-themed phishing.</li>
            </ul>

            <h4>Device code phishing (Storm-2372 / APT29 / UTA0304 / UTA0307)</h4>
            <p>Attacker initiates a device-code flow against any first-party client (most often <code>Microsoft Authentication Broker</code> <code>29d9ed98-a469-4536-ade2-f981bc1d605e</code>). Microsoft returns an 8-character user code and a verification URL. Attacker DMs/emails the victim with a pretext ("enter this code to join the meeting") and the victim authenticates on Microsoft's real login portal. Attacker polls the token endpoint and receives the access token + family refresh token.</p>
            <ul>
              <li>Sign-in log fingerprint: <code>AuthenticationProtocol = deviceCode</code> + <code>OriginalTransferMethod = deviceCodeFlow</code>.</li>
              <li>Microsoft began rolling out blocks on device-code flow via Conditional Access in 2024; verify your tenant has the block in place unless you have a specific need.</li>
            </ul>

            <h4>OAuth code phishing via first-party apps (UTA0352)</h4>
            <p>March 2025 onward. Attacker uses Volexity-tracked <code>aebc6443-996d-45c2-90f0-388ff96faa56</code> (Visual Studio Code) with redirect URI <code>https://insiders.vscode.dev/redirect</code> or <code>https://vscode-redirect.azurewebsites.net</code>. Victim authenticates, gets redirected to in-browser VS Code which displays the auth code; attacker extracts and exchanges for token. No malicious app, no consent prompt, no novel infrastructure - everything terminates on Microsoft domains.</p>

            <h4>AiTM / token theft (Evilginx, Mamba2FA)</h4>
            <p>Reverse-proxy phishing kits sit between the victim and the real Microsoft login, intercepting the session cookie and refresh token after MFA completes. Token theft accounted for an estimated 31% of M365 breaches in 2025. The stolen token has the same MFA claim as the legitimate sign-in, so a one-time replay from a different IP looks like a normal non-interactive sign-in.</p>

            <h3><span class="num">2</span> Privilege escalation - getting more than the token grants</h3>

            <h4>Service principal credential backdoor (Midnight Blizzard / Solorigate)</h4>
            <p>The attacker enumerates application objects and service principals. For any SP they can write to (because they own the app, or have <code>Application.ReadWrite.All</code>, or the SP has the <code>microsoft.directory/servicePrincipals/credentials/update</code> right), they add their own client secret or X.509 certificate. They now authenticate via OAuth 2.0 client-credentials flow as that app, completely outside any user context, MFA, or interactive Conditional Access.</p>

            <h4>App ownership abuse ("Misowned and Dangerous", Semperis 2025)</h4>
            <p>The attack path documented in <em>EntraGoat</em>. A compromised low-privileged user discovers they own an enterprise application that has a privileged role assignment. The owner can add a client secret to the SP without any admin role. They then auth as the app, use its role to reset a Global Administrator's password, issue a Temporary Access Pass (TAP), and log in interactively as the GA. Tenant compromise, no admin role required at the start.</p>

            <h4>Federated identity credential persistence</h4>
            <p>Attackers with sufficient permissions add a <strong>federated identity credential</strong> to a high-privilege application object pointing at an attacker-controlled IdP (e.g. <code>https://attacker.example.com</code>). They then exchange tokens from the attacker's IdP for Microsoft tokens via <code>api://AzureADTokenExchange</code>. No client secret to rotate, no certificate thumbprint to spot - just a small JSON record that looks legitimate. Subtle, durable, often missed in audits.</p>

            <h4>Actor Token Forgery (CVE-2025-55241)</h4>
            <p>Disclosed September 2025 by Dirk-jan Mollema. A flaw in the legacy Access Control Service let attackers forge "actor" tokens (used for service-to-service delegation) impersonating <strong>any user in any tenant</strong>, including Global Admins. Critically, the forged-token request <strong>generates no sign-in log entry</strong> - downstream Graph activity is the only trace. Microsoft patched in September 2025 but: (a) any pre-patch abuse is largely invisible after the fact, and (b) the class of bug (S2S token tenant validation gaps) is unlikely to be the last. Hunt for actor-token usage where the SP <code>displayName</code> is a Microsoft service but the <code>userPrincipalName</code> is a real user.</p>

            <h4>FOCI / family refresh token misuse</h4>
            <p>An undocumented Entra behaviour, researched by Secureworks. ~16 first-party Microsoft client IDs are part of a "family"; a refresh token issued to any one of them can be redeemed for an access token to any other. Steal a token from <code>Azure CLI</code> and you can request tokens for Teams, Outlook, OneDrive, Office, etc. - the union of every family scope. <strong>TeamFiltration</strong> (UNK_SneakyStrike, 80,000+ targeted accounts since Dec 2024) industrialised this.</p>
            <p>Known FOCI app IDs from Secureworks' <code>known-foci-clients.csv</code>:</p>
            <table class="kv-table">
              <thead><tr><th>App</th><th>App ID</th></tr></thead>
              <tbody>
                <tr><td>Microsoft Azure CLI</td><td class="mono">04b07795-8ddb-461a-bbee-02f9e1bf7b46</td></tr>
                <tr><td>Microsoft Azure PowerShell</td><td class="mono">1950a258-227b-4e31-a9cf-717495945fc2</td></tr>
                <tr><td>Microsoft Teams</td><td class="mono">1fec8e78-bce4-4aaf-ab1b-5451cc387264</td></tr>
                <tr><td>Microsoft Office</td><td class="mono">d3590ed6-52b3-4102-aeff-aad2292ab01c</td></tr>
                <tr><td>OneDrive SyncEngine</td><td class="mono">ab9b8c07-8f02-4f72-87fa-80105867a763</td></tr>
                <tr><td>Outlook Mobile</td><td class="mono">27922004-5251-4030-b22d-91ecd9a37ea4</td></tr>
                <tr><td>Microsoft Authenticator App</td><td class="mono">4813382a-8fa7-425e-ab75-3b753aab3abb</td></tr>
                <tr><td>Visual Studio</td><td class="mono">872cd9fa-d31f-45e0-9eab-6e460a02d1f1</td></tr>
                <tr><td>Office 365 Management</td><td class="mono">00b41c95-dab0-4487-9791-b9d2c32c80f2</td></tr>
                <tr><td>OneDrive iOS App</td><td class="mono">af124e86-4e96-495a-b70a-90f90ab96707</td></tr>
                <tr><td>Windows Search</td><td class="mono">26a7ee05-5602-4d76-a7ba-eae8b7b67941</td></tr>
              </tbody>
            </table>

            <p>Adjacent to the FOCI list, but distinct: the <strong>Microsoft Authentication Broker</strong> (MAB, <code>29d9ed98-a469-4536-ade2-f981bc1d605e</code>) is not on Secureworks' canonical FOCI list, but it is the client used by Windows for Entra device-join and is the favourite vector for Primary Refresh Token (PRT) phishing per Dirk-jan Mollema's research. UTA0355 and Storm-2372 both used MAB. Hunt MAB sign-ins with <code>AuthenticationProtocol = deviceCode</code> the same way you hunt the FOCI list - the playbook is the same, the family membership is not.</p>

            <h3><span class="num">3</span> Persistence - staying after credentials change</h3>

            <h4>Device registration to mint a Primary Refresh Token (UTA0355)</h4>
            <p>Once the attacker has an OAuth code, they call the Device Registration Service to register their own device against the victim's tenant. They then convince the victim to approve a 2FA prompt ("to access SharePoint for the conference"). The attacker now has a Primary Refresh Token (PRT) tied to a "compliant" device they control. PRTs survive password resets and most refresh-token revocations - the only reliable cleanup is unregistering the device.</p>

            <h4>Inbox rules + transport rules</h4>
            <p>Classic BEC. Forward-then-delete rules to hide replies during invoice fraud. Tenant-wide transport rules created via Graph after admin-consent abuse to siphon mail at the org level.</p>

            <h4>Conditional Access policy exclusions</h4>
            <p>Attacker (with admin or app-perm equivalent) modifies an existing CA policy to add an "exclusion" for a specific user or named location they control. Looks like a routine policy edit in the audit log; effect is a permanent bypass.</p>

            <h4>Cross-tenant access trust</h4>
            <p>Attacker who compromises a trusted partner tenant (B2B collaboration / cross-tenant access settings) can keep accessing the victim tenant's resources even after every credential in the victim tenant is reset.</p>

            <h3><span class="num">4</span> Defense evasion - blending in</h3>
            <ul>
              <li><strong>Residential proxies</strong> (Spur.us-tracked): NSOCKS, 911, BrightProxies. Attacker traffic comes from IPs that also belong to legitimate users in the same neighbourhood.</li>
              <li><strong>First-party apps</strong>: VSCode, Azure CLI, Office traffic blends into developer noise.</li>
              <li><strong>CAE token extension</strong>: when CAE is enabled, attackers prefer to obtain CAE-aware tokens because they last 24-28h and skip mid-session re-auth - good for the attacker as long as the user/admin doesn't trigger an explicit revocation event.</li>
              <li><strong>Throttling MailItemsAccessed</strong>: Microsoft caps MailItemsAccessed bind-event logging at 1,000 audit records per mailbox per 24 hours; once a mailbox crosses that threshold, bind events are not logged for the next 24 hours (other mailbox audit actions like <em>Send</em>, <em>SoftDelete</em>, and sync operations continue unaffected). The first 1,000 events ARE recorded - what gets silenced is follow-on bind activity in the next 24 hours, so attackers use this to hide a quiet "second pass" rather than the initial dump. Sync-based exfiltration (Outlook desktop dumping an entire folder) generates one record per folder and never trips the cap regardless of message count. Microsoft says &lt;1% of mailboxes ever hit throttling, so an event with <code>IsThrottled = True</code> is itself a high-fidelity IOC.</li>
              <li><strong>Removing audit trail</strong>: post-compromise, deleting the added credential or the new SP after using it. Only catches if your retention is long enough to look back before the cleanup.</li>
            </ul>

            <h3><span class="num">5</span> The MITRE ATT&CK cloud mapping</h3>
            <p>For SOC ticketing, the techniques above map to:</p>
            <table class="kv-table">
              <thead><tr><th>Tactic</th><th>Technique</th><th>What we covered</th></tr></thead>
              <tbody>
                <tr><td>Initial Access</td><td class="mono">T1566.002 - Spearphishing Link</td><td>Consent / device-code / OAuth-code phishing</td></tr>
                <tr><td>Initial Access</td><td class="mono">T1078.004 - Cloud Accounts</td><td>AiTM / token theft replay</td></tr>
                <tr><td>Persistence</td><td class="mono">T1098.001 - Additional Cloud Credentials</td><td>SP credential backdoor, federated credential</td></tr>
                <tr><td>Persistence</td><td class="mono">T1098.003 - Additional Cloud Roles</td><td>App role assignment / admin consent</td></tr>
                <tr><td>Persistence</td><td class="mono">T1098.005 - Device Registration</td><td>UTA0355 device join + PRT</td></tr>
                <tr><td>Privilege Escalation</td><td class="mono">T1078.004 - Cloud Accounts</td><td>App ownership pivot, Actor Token Forgery</td></tr>
                <tr><td>Defense Evasion</td><td class="mono">T1550.001 - Application Access Token</td><td>FRT replay across FOCI apps</td></tr>
                <tr><td>Credential Access</td><td class="mono">T1528 - Steal Application Access Token</td><td>Consent phishing harvest</td></tr>
                <tr><td>Collection</td><td class="mono">T1114.002 - Remote Email Collection</td><td>MailItemsAccessed via OAuth</td></tr>
                <tr><td>Exfiltration</td><td class="mono">T1567 - Exfiltration Over Web Service</td><td>Microsoft Graph as exfil channel</td></tr>
              </tbody>
            </table>
          </div>
        </div>

        <!-- ===== Remediation ===== -->
        <div class="invest-section" id="sub-remediation" hidden>
          <div class="doc-block">
            <h2>Remediating a malicious OAuth consent grant</h2>
            <p class="doc-lede">Use this playbook when a user has consented to a malicious OAuth application in Microsoft Entra ID. Order matters: revoke before you investigate, preserve evidence before you delete.</p>

            <div class="callout danger">
              <strong>Containment first - what disable does and does not do</strong>
              Disabling the service principal blocks new sign-ins and stops Entra issuing new access tokens, but per the OAuth 2.0 spec <strong>access tokens already in the attacker's hands cannot be revoked</strong>; they remain valid until they expire. <strong>How long is "until they expire"?</strong> Microsoft's default access-token TTL is a randomized <strong>60-90 minutes (75 min average)</strong>, or <strong>2 hours flat</strong> for Microsoft Teams / Microsoft 365 clients in tenants without Conditional Access. Tenants with a Configurable Token Lifetime (CTL) policy can extend this up to <strong>24 hours</strong> - which doubles or quadruples the post-incident exposure window before the stolen token expires on its own. <strong>Refresh tokens</strong> live <strong>90 days</strong> (24h for single-page apps), so until you also revoke the refresh token (<code>Revoke-MgUserSignInSession</code>), the attacker can mint fresh access tokens for three months. The only mechanism that can invalidate a live access token before expiry is Continuous Access Evaluation (CAE) - and CAE only applies to CAE-aware resources (Exchange Online, SharePoint Online, Teams, Microsoft Graph) and CAE-aware clients. Resetting the user's password while tokens are still valid does not evict the attacker. Treat the window between containment and full eviction as live; assume continued read access until proven otherwise, and size that window using your tenant's actual CTL setting (audit via <code>Get-MgPolicyTokenLifetimePolicy</code>).
            </div>

            <h3><span class="num">1</span> Preserve evidence before you change anything</h3>
            <p>The lede above says "preserve evidence before you delete" - this is the step that makes that real. Once you start disabling SPs, revoking tokens, and deleting grants, the tenant state changes. If you skip this step, you lose the ability to answer "what did the application object look like at the moment of compromise" months later when legal, insurance, or regulators ask.</p>
            <ul>
              <li><strong>Snapshot the SP and all its credentials.</strong> Run the discovery query in Step 2 first, but pipe the output to a file rather than just the console - keep the raw JSON of <code>Get-MgServicePrincipal</code>, <code>Get-MgOauth2PermissionGrant</code>, and <code>Get-MgServicePrincipalAppRoleAssignment</code> so you have the unmodified record of what the consent looked like.</li>
              <li><strong>Capture the broader tenant state with EntraExporter.</strong> The <code>EntraExporter</code> PowerShell module (now <code>microsoft/EntraExporter</code>, originally by Merill Fernando): <code>Install-Module EntraExporter</code>, then <code>Export-Entra -Path .\&lt;case-id&gt; -All</code> writes the entire tenant config to disk: applications, service principals, OAuth2 grants, app role assignments, conditional access policies, role assignments, named locations. This is the cleanest way to capture "the tenant at incident time" before remediation rewrites it. Treat the export as evidence: hash it, copy it off-host, and reference the hash in your incident timeline.</li>
              <li><strong>Pull and archive the relevant audit data.</strong> Your SIEM retention may be shorter than your investigation timeline - export the raw <code>Consent to application</code>, <code>Add OAuth2PermissionGrant</code>, <code>Add app role assignment to service principal</code>, and <code>Add service principal credentials</code> events for the malicious app id from the M365 unified audit log to a case archive. The Splunk Forensic Traces queries in the Investigation tab generate this set; pin the time range to the suspected exposure window plus 30 days on either side.</li>
              <li><strong>Note the snapshot timestamp in the case file.</strong> Everything that follows in this playbook is dated relative to "evidence captured at T0". Reviewers in three months need this anchor.</li>
            </ul>

            <h3><span class="num">2</span> Identify scope of the consent</h3>
            <p>Pull every consent grant for the malicious application id across the tenant. Both delegated (per-user) and application (admin-consented) grants must be enumerated.</p>

            <div class="code-block">
              <div class="code-header">PowerShell - Microsoft Graph SDK<button class="copy-snippet" type="button">copy</button></div>
              <pre># Write scopes are required because steps 2-5 will disable, revoke, and remove
Connect-MgGraph -Scopes `
  "Application.ReadWrite.All", `
  "DelegatedPermissionGrant.ReadWrite.All", `
  "AppRoleAssignment.ReadWrite.All", `
  "Directory.AccessAsUser.All", `
  "User.RevokeSessions.All"

$badAppId = "&lt;malicious-application-id&gt;"

# 1. Locate the service principal in this tenant
$sp = Get-MgServicePrincipal -Filter "appId eq '$badAppId'"
$sp | Format-List Id, AppId, DisplayName, AppOwnerOrganizationId, `
                  PublisherName, VerifiedPublisher, ServicePrincipalType, `
                  ReplyUrls, Tags, AccountEnabled, DisabledByMicrosoftStatus

# 2. List delegated grants (per-user "OAuth2PermissionGrants")
#    consentType "Principal" = single user; "AllPrincipals" = tenant-wide admin consent
Get-MgOauth2PermissionGrant -Filter "clientId eq '$($sp.Id)'" |
  Select-Object Id, ClientId, ConsentType, PrincipalId, ResourceId, Scope

# 3. List application-role grants (admin consent only, "AppRoleAssignments")
Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $sp.Id |
  Select-Object Id, AppRoleId, PrincipalDisplayName, ResourceDisplayName, CreatedDateTime

# 4. List any client secrets / certificates the app added (post-consent persistence)
$sp.PasswordCredentials | Select-Object KeyId, DisplayName, StartDateTime, EndDateTime
$sp.KeyCredentials      | Select-Object KeyId, DisplayName, StartDateTime, EndDateTime, Type</pre>
            </div>

            <h3><span class="num">3</span> Disable the service principal</h3>
            <p>This stops new sign-ins and token requests immediately. Disabling is reversible if the verdict turns out to be wrong; deletion is not, and Entra retains a tombstone for 30 days regardless.</p>
            <div class="code-block">
              <div class="code-header">PowerShell<button class="copy-snippet" type="button">copy</button></div>
              <pre># Disable the service principal (single command, tenant-wide)
Update-MgServicePrincipal -ServicePrincipalId $sp.Id -AccountEnabled:$false

# Verify
(Get-MgServicePrincipal -ServicePrincipalId $sp.Id).AccountEnabled</pre>
            </div>

            <h3><span class="num">4</span> Revoke all refresh tokens for affected users</h3>
            <p>
              <code>Revoke-MgUserSignInSession</code> calls Microsoft Graph <code>POST /users/{id}/revokeSignInSessions</code>, which invalidates every refresh token and session token issued to that user across every app, not just the malicious one. This is the right hammer - the attacker's refresh token was probably scoped to a different app id than the one the user thinks they revoked, and you want all of them dead. The cmdlet returns immediately; replication to resource providers (Exchange, SharePoint) takes seconds for CAE-aware services and up to one hour for non-CAE replication.
            </p>
            <div class="code-block">
              <div class="code-header">PowerShell<button class="copy-snippet" type="button">copy</button></div>
              <pre># 1. Users who consented to this specific app (delegated grants)
$grantPrincipals = (Get-MgOauth2PermissionGrant -Filter "clientId eq '$($sp.Id)'").PrincipalId |
                   Where-Object { $_ } | Sort-Object -Unique

# 2. Anyone who signed in to the malicious app within the lookback window.
#    Pull from sign-in logs to catch users who got tokens but were not in the grant list
#    (e.g. AllPrincipals admin consent grants do not have a PrincipalId).
$signInUsers = Get-MgAuditLogSignIn `
    -Filter "appId eq '$badAppId' and createdDateTime ge 2026-04-01T00:00:00Z" `
    -All | Select-Object -ExpandProperty UserId | Sort-Object -Unique

$affectedUsers = ($grantPrincipals + $signInUsers) | Sort-Object -Unique

foreach ($uid in $affectedUsers) {
    Write-Host "Revoking sessions for $uid"
    Revoke-MgUserSignInSession -UserId $uid
}</pre>
            </div>

            <h3><span class="num">5</span> Remove every consent grant</h3>
            <p>Disabling the SP blocks new tokens but leaves the consent records in place; remove them so the app cannot be re-enabled silently and so audit reporting stays accurate.</p>
            <div class="code-block">
              <div class="code-header">PowerShell<button class="copy-snippet" type="button">copy</button></div>
              <pre># Remove delegated permission grants
Get-MgOauth2PermissionGrant -Filter "clientId eq '$($sp.Id)'" |
  ForEach-Object { Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId $_.Id }

# Remove application role assignments (admin-consented permissions)
Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $sp.Id |
  ForEach-Object {
    Remove-MgServicePrincipalAppRoleAssignment `
      -ServicePrincipalId $sp.Id `
      -AppRoleAssignmentId $_.Id
  }</pre>
            </div>

            <h3><span class="num">6</span> Block the app from being re-consented</h3>
            <p>If the app is registered in another tenant (multi-tenant, AppOwnerOrganizationId is not your tenant), tenant-wide consent restrictions and a tenant-level block prevent re-introduction.</p>
            <div class="code-block">
              <div class="code-header">PowerShell<button class="copy-snippet" type="button">copy</button></div>
              <pre># Tenant-wide hard-disable of the service principal
Update-MgServicePrincipal -ServicePrincipalId $sp.Id `
    -AccountEnabled:$false `
    -Tags @("HideApp","BlockedFromConsent")

# Restrict end-user consent globally (do this once tenant-wide, not just for this app)
Update-MgPolicyAuthorizationPolicy `
    -DefaultUserRolePermissions @{ permissionGrantPoliciesAssigned = @() }</pre>
            </div>

            <div class="callout warn">
              <strong>Multi-tenant note</strong>
              If the malicious app is multi-tenant (registered outside your tenant), disabling it in your tenant only stops it locally. Microsoft can globally disable known-bad apps via the <code>disabledByMicrosoftStatus</code> property; report to MSRC and CISA so the app is taken down for everyone.
            </div>

            <h3><span class="num">7</span> Investigate what the app accessed</h3>
            <p>Pivot to the Forensic traces tab. The questions you need answered: which mailboxes did it read, did it send mail, did it create inbox rules, did it modify MFA, did it register a device.</p>
            <div class="callout">
              <strong>Translate scopes into concrete data exposure</strong>
              The consent event tells you the scope (e.g. <code>Mail.ReadWrite</code>, <code>Files.Read.All</code>, <code>Directory.Read.All</code>) but not what specific Graph endpoints that scope unlocks. Use Merill Fernando's <a href="https://graphpermissions.merill.net/">graphpermissions.merill.net</a> to reverse-look-up each scope into the exact list of Graph endpoints and resource types it grants - this is what you tell legal/compliance the attacker had access to. Combine that with the actual Graph activity log records (see Forensics tab section 5) to narrow "could have accessed" to "did access". Knowing the difference between "Mail.Read on one mailbox" and "Mail.ReadWrite tenant-wide" is the difference between a one-user incident and a regulatory disclosure.
            </div>

            <h3><span class="num">8</span> User communication & post-incident</h3>
            <ul class="checklist">
              <li><strong>Notify affected users</strong> Tell them the app was disabled, that a password reset alone would not have stopped the attacker, and that the access has been revoked.</li>
              <li><strong>Force password reset</strong> only after revoking refresh tokens. Resetting first while tokens are still valid does not evict the attacker.</li>
              <li><strong>Re-enroll MFA</strong> if there is any indication the attacker added their own MFA method.</li>
              <li><strong>Review and tighten consent policy</strong> Move to admin-consent workflow for any app requesting Mail.*, Files.*, or Directory.* scopes.</li>
              <li><strong>Add the App ID to your watchlist</strong> Push the OAuthSentry malicious feed into your SIEM so the next consent attempt alerts immediately.</li>
            </ul>

            <h4>Microsoft Graph REST equivalent (one-liner per step)</h4>
            <table class="kv-table">
              <thead><tr><th>Step</th><th>HTTP request</th></tr></thead>
              <tbody>
                <tr><td>Find SP</td><td class="mono">GET /v1.0/servicePrincipals?$filter=appId eq '&lt;guid&gt;'</td></tr>
                <tr><td>Disable SP</td><td class="mono">PATCH /v1.0/servicePrincipals/&lt;sp-id&gt; { "accountEnabled": false }</td></tr>
                <tr><td>List grants</td><td class="mono">GET /v1.0/oauth2PermissionGrants?$filter=clientId eq '&lt;sp-id&gt;'</td></tr>
                <tr><td>Revoke grant</td><td class="mono">DELETE /v1.0/oauth2PermissionGrants/&lt;grant-id&gt;</td></tr>
                <tr><td>Revoke sessions</td><td class="mono">POST /v1.0/users/&lt;user-id&gt;/revokeSignInSessions</td></tr>
              </tbody>
            </table>
          </div>
        </div>

        <!-- ===== Forensics ===== -->
        <div class="invest-section" id="sub-forensics" hidden>
          <div class="doc-block">
            <h2>Forensic traces of OAuth abuse</h2>
            <p class="doc-lede">Every step of an OAuth consent attack leaves an artifact somewhere in Entra ID, Microsoft Graph activity logs, or the user's mailbox metadata. This is the operator's map of where to look.</p>

            <h3><span class="num">1</span> Application registration & service principal creation</h3>
            <p>The first event is creation of the service principal in your tenant - the moment the app appears as a "thing" Entra knows about. All of the operations below appear in either the <strong>M365 unified audit log</strong> (Splunk macro <code>oauthsentry_o365_audit</code>, <code>RecordType = AzureActiveDirectory</code>) or the <strong>Entra audit log</strong> streamed via Azure Monitor diagnostic settings (macro <code>oauthsentry_aad_audit</code>). The <strong>Operation</strong> field is what to filter on.</p>

            <div class="callout">
              <strong>Authoritative reference for "is this Microsoft first-party"</strong>
              When an SP is multi-tenant, the question is always "is this a real Microsoft app or someone impersonating one". The <code>appOwnerOrganizationId</code> field gives the answer if you cross-check against Microsoft's tenant ids - and Merill Fernando's <a href="https://github.com/merill/microsoft-info">merill/microsoft-info</a> repository (<code>aka.ms/AppNames</code>) maintains a daily-refreshed CSV/JSON of every known Microsoft first-party AppId, display name, and owner tenant. Pull <a href="https://raw.githubusercontent.com/merill/microsoft-info/main/_info/MicrosoftApps.csv">MicrosoftApps.csv</a> as a Splunk lookup (<code>| inputlookup microsoft_apps.csv</code>) and join it on appid; any SP active in your tenant whose AppId is NOT in that list AND whose <code>appOwnerOrganizationId</code> matches a Microsoft tenant id is suspicious by definition. Merill also publishes <a href="https://raw.githubusercontent.com/merill/microsoft-info/main/_info/GraphAppRoles.csv">GraphAppRoles.csv</a> and <a href="https://raw.githubusercontent.com/merill/microsoft-info/main/_info/GraphDelegateRoles.csv">GraphDelegateRoles.csv</a> for translating Graph permission GUIDs (the values you see in <code>ModifiedProperties.NewValue</code>) back into human-readable scope names.
            </div>
            <table class="kv-table">
              <thead><tr><th>Source</th><th>Operation / field</th><th>What it tells you</th></tr></thead>
              <tbody>
                <tr><td>Audit log op</td><td class="mono">Add service principal</td><td>SP appeared in your tenant. Captures app id, displayName, initiator. First event in the chain for any new app.</td></tr>
                <tr><td>Audit log op</td><td class="mono">Add service principal credentials</td><td>Client secret or certificate added to the SP - very common attacker persistence step (e.g. Midnight Blizzard added their own creds to existing SPs).</td></tr>
                <tr><td>Audit log op</td><td class="mono">Update application - Certificates and secrets management</td><td>Cert/secret added on the application object (vs the SP). Same intent, slightly different code path.</td></tr>
                <tr><td>Audit log op</td><td class="mono">Consent to application</td><td>User-level consent prompt accepted. <code>ConsentContext.IsAdminConsent</code> and the scope string in <code>ConsentAction.Permissions</code> are the key fields.</td></tr>
                <tr><td>Audit log op</td><td class="mono">Add OAuth2PermissionGrant</td><td>The actual delegated permission grant object created. Often appears alongside <code>Consent to application</code>; also fires when admin grants directly via Graph (<code>POST /oauth2PermissionGrants</code>).</td></tr>
                <tr><td>Audit log op</td><td class="mono">Add delegated permission grant</td><td>Variant name surfaced by some log pipelines for the same underlying event. Hunt both strings.</td></tr>
                <tr><td>Audit log op</td><td class="mono">Add app role assignment to service principal</td><td>App-level (admin-consent) permission granted - much higher impact. Anything in this stream that contains <code>.All</code>, <code>Mail.</code>, <code>Files.</code>, <code>Directory.</code> deserves immediate review.</td></tr>
                <tr><td>SP object</td><td class="mono">appOwnerOrganizationId</td><td>Tenant that owns the app. If not your tenant id, it is multi-tenant; cross-reference with Microsoft's first-party tenants <code>f8cdef31-a31e-4b4a-93e4-5f571e91255a</code> and <code>72f988bf-86f1-41af-91ab-2d7cd011db47</code>.</td></tr>
                <tr><td>SP object</td><td class="mono">verifiedPublisher</td><td>Empty for nearly all malicious apps. Verified publishers are a strong negative IOC.</td></tr>
                <tr><td>SP object</td><td class="mono">disabledByMicrosoftStatus</td><td><code>DisabledDueToViolationOfServicesAgreement</code> means Microsoft has globally tombstoned the app. If you see this, treat it as confirmed malicious.</td></tr>
                <tr><td>SP object</td><td class="mono">replyUrls / homepage</td><td>Where Entra redirects auth codes. Attacker-controlled domains here are decisive evidence; for UTA0352 watch for <code>insiders.vscode.dev</code> and <code>vscode-redirect.azurewebsites.net</code>.</td></tr>
                <tr><td>SP object</td><td class="mono">passwordCredentials / keyCredentials</td><td>Any new entry with a recent <code>startDateTime</code> = attacker minted their own credential.</td></tr>
                <tr><td>SP object</td><td class="mono">tags</td><td><code>WindowsAzureActiveDirectoryIntegratedApp</code> is normal; <code>HideApp</code>, unusual or attacker-script-injected values are not.</td></tr>
              </tbody>
            </table>

            <h3><span class="num">2</span> The consent event itself</h3>
            <p>This is the event everyone hunts for. In Entra audit logs:</p>
            <div class="code-block">
              <div class="code-header">Audit log shape (Entra ID)<button class="copy-snippet" type="button">copy</button></div>
              <pre>{
  "operationName": "Consent to application",
  "category":      "ApplicationManagement",
  "result":        "success",
  "initiatedBy":   { "user": { "userPrincipalName": "victim@org.com" } },
  "targetResources": [
    {
      "id": "&lt;service-principal-id&gt;",
      "type": "ServicePrincipal",
      "displayName": "Adobe Drive X",
      "modifiedProperties": [
        { "displayName": "ConsentAction.Permissions",
          "newValue": "Scope=Mail.Read Mail.Send offline_access" },
        { "displayName": "ConsentContext.IsAdminConsent", "newValue": "False" },
        { "displayName": "TargetId.ServicePrincipalNames",
          "newValue": "&lt;application-id-guid&gt;" }
      ]
    }
  ]
}</pre>
            </div>
            <p>Pivot fields: the application id, scopes consented, IsAdminConsent flag (admin = much higher impact), and the user principal who clicked.</p>

            <div class="callout">
              <strong>Two audit formats, two schemas</strong>
              The example above is the <strong>Azure AD audit log</strong> shape (camelCase: <code>operationName</code>, <code>targetResources[].modifiedProperties[]</code>) - that's what you get if you stream Entra diagnostic logs to Azure Monitor or Log Analytics. The <strong>Microsoft 365 unified audit log</strong> emits the same event with a different shape (PascalCase, flatter <code>ModifiedProperties[]</code> at the top level) and different field names. The OAuthSentry SPL macros target the M365 unified shape, because that's what the Splunk Add-on for Microsoft Office 365 ingests via the Management Activity API. Below is the real M365 unified shape of a single <code>Consent to application.</code> event (anonymized) - match this against your raw logs to confirm the field paths the SPL queries pivot on.
            </div>

            <div class="code-block">
              <div class="code-header">Audit log shape (M365 unified - what oauthsentry_o365_audit hits)<button class="copy-snippet" type="button">copy</button></div>
              <pre>{
  "CreationTime":   "2026-04-27T07:20:47",
  "Id":             "&lt;event-uuid&gt;",
  "Operation":      "Consent to application.",
  "OrganizationId": "&lt;your-tenant-id&gt;",
  "RecordType":     8,
  "ResultStatus":   "Success",
  "Workload":       "AzureActiveDirectory",
  "AzureActiveDirectoryEventType": 1,
  "ObjectId":       "&lt;consented-app-id&gt;",                         ``` AppId of the app being consented to ```
  "UserId":         "admin.consenting@yourtenant.onmicrosoft.com", ``` UPN of the user who clicked ```
  "UserKey":        "&lt;puid&gt;@yourtenant.onmicrosoft.com",
  "ExtendedProperties": [
    { "Name":  "additionalDetails",
      "Value": "{\"User-Agent\":\"Mozilla/5.0 (Windows NT 10.0; ...) Chrome/&lt;ver&gt; Safari/537.36\",\"AppId\":\"&lt;consented-app-id&gt;\",\"ServicePrincipalProvisioningType\":\"Other\"}" },
    { "Name":  "extendedAuditEventCategory", "Value": "ServicePrincipal" }
  ],
  "ModifiedProperties": [
    { "Name": "ConsentContext.IsAdminConsent", "NewValue": "True",  "OldValue": "" },
    { "Name": "ConsentContext.IsAppOnly",      "NewValue": "False", "OldValue": "" },
    { "Name": "ConsentContext.OnBehalfOfAll",  "NewValue": "True",  "OldValue": "" },
    { "Name": "ConsentContext.Tags",           "NewValue": "",      "OldValue": "" },
    { "Name": "ConsentAction.Permissions",
      "NewValue": "[[Id: &lt;grant-id&gt;, ClientId: &lt;sp-objectid&gt;, PrincipalId: , ResourceId: &lt;resource-sp-id&gt;, ConsentType: AllPrincipals, Scope: User.Read, CreatedDateTime: , LastModifiedDateTime ]] =&gt; [[Id: &lt;grant-id&gt;, ClientId: &lt;sp-objectid&gt;, PrincipalId: , ResourceId: &lt;resource-sp-id&gt;, ConsentType: AllPrincipals, Scope: User.Read, CreatedDateTime: , LastModifiedDateTime ]];",
      "OldValue": "" }
  ],
  "Actor": [
    { "ID": "admin.consenting@yourtenant.onmicrosoft.com", "Type": 5 },  ``` Type 5 = UPN ```
    { "ID": "&lt;puid&gt;",                                   "Type": 3 },  ``` Type 3 = PUID ```
    { "ID": "Microsoft_AAD_RegisteredApps",                "Type": 1 },  ``` Type 1 = source app/portal ```
    { "ID": "&lt;user-objectid&gt;",                          "Type": 2 }
  ],
  "Target": [
    { "ID": "ServicePrincipal_&lt;sp-objectid&gt;",            "Type": 2 },
    { "ID": "&lt;sp-objectid&gt;",                             "Type": 2 },  ``` SP ObjectId in tenant ```
    { "ID": "ServicePrincipal",                            "Type": 2 },
    { "ID": "&lt;App display name as it appeared at consent time&gt;", "Type": 1 },
    { "ID": "&lt;consented-app-id&gt;",                        "Type": 4 }   ``` AppId again, Type 4 ```
  ],
  "ActorContextId":  "&lt;your-tenant-id&gt;",
  "TargetContextId": "&lt;your-tenant-id&gt;"
}</pre>
            </div>
            <p>The four fields the OAuthSentry SPL pivots on, with paths confirmed against the shape above:</p>
            <ul>
              <li><strong>AppId of the consented app</strong> → <code>ObjectId</code> at the top level (also redundantly available as <code>ExtendedProperties[].additionalDetails.AppId</code> and <code>Target[]</code> entries with <code>Type=4</code>). The <code>TargetId.ServicePrincipalNames</code> field that some older detections key on does <strong>not</strong> exist in the M365 unified shape - it lives only in the Azure AD diagnostic stream.</li>
              <li><strong>Admin vs user consent</strong> → <code>ModifiedProperties[]</code> where <code>Name=="ConsentContext.IsAdminConsent"</code>, value is the string <code>"True"</code> / <code>"False"</code>.</li>
              <li><strong>Granted scopes</strong> → <code>ModifiedProperties[]</code> where <code>Name=="ConsentAction.Permissions"</code>. The value is a bracket-delimited string, not JSON; one or more <code>[[Id: ..., ClientId: ..., ResourceId: ..., ConsentType: ..., Scope: SCOPE_NAME, ...]]</code> groups separated by <code>;</code>, with an <code>old =&gt; new</code> arrow showing the diff. Multi-scope consents emit multiple groups; <code>regex max_match=20</code> against <code>Scope:\s*(?&lt;scope&gt;[^,\]]+)</code> extracts each.</li>
              <li><strong>User-Agent at consent time</strong> → <code>ExtendedProperties[]</code> where <code>Name=="additionalDetails"</code>. The <code>Value</code> field is a JSON-encoded string (escaped quotes); <code>spath input=Value</code> drills in to <code>User-Agent</code> and the redundant <code>AppId</code>. Hunt for <code>python-requests</code>, <code>curl</code>, <code>ROADtools</code>, headless browsers - they're rarely present on legitimate consent prompts.</li>
            </ul>

            <h3><span class="num">3</span> Sign-in logs - the app actually using its tokens</h3>
            <p>Once consent is granted the app starts signing in on behalf of the user. These appear in <strong>service principal sign-in logs</strong>, not interactive sign-ins. The Splunk macro stack splits them three ways: <code>oauthsentry_aad_sp_signin</code> for the SP authenticating as itself (<code>category = ServicePrincipalSignInLogs</code> on the underlying records), <code>oauthsentry_aad_signin</code> with <code>category = SignInLogs</code> for interactive sign-ins (the user clicking the consent prompt), and the same macro with <code>category = NonInteractiveUserSignInLogs</code> for token refreshes on behalf of the user.</p>
            <table class="kv-table">
              <thead><tr><th>Field</th><th>What to hunt for</th></tr></thead>
              <tbody>
                <tr><td class="mono">AppId</td><td>Match against the OAuthSentry malicious or risky feed.</td></tr>
                <tr><td class="mono">ResourceDisplayName / ResourceId</td><td>What was accessed. <code>00000003-0000-0000-c000-000000000000</code> = Microsoft Graph; <code>00000002-0000-0ff1-ce00-000000000000</code> = Exchange Online; <code>00000003-0000-0ff1-ce00-000000000000</code> = SharePoint.</td></tr>
                <tr><td class="mono">IPAddress / Location</td><td>Source. Cross-check against the user's normal sign-in pattern; residential proxies (Spur.us, GreyNoise) are common in UTA0352/APT29 ops.</td></tr>
                <tr><td class="mono">UserAgent</td><td><code>python-requests</code>, <code>curl</code>, <code>ROADtools</code>, <code>Mozilla/5.0 (X11; Linux ...)</code> against a normally-Windows mailbox = attacker tooling.</td></tr>
                <tr><td class="mono">IncomingTokenType</td><td><code>refreshToken</code> after the first sign-in. Long sequences of refresh-token grants from one IP = active attacker session.</td></tr>
                <tr><td class="mono">ResultType</td><td><code>0</code> = success. Filter on this when correlating with downstream activity.</td></tr>
                <tr><td class="mono">AuthenticationProtocol</td><td><code>deviceCode</code> = device-code phishing (Storm-2372). <code>authCode</code> with first-party app id = UTA0352 pattern.</td></tr>
                <tr><td class="mono">ConditionalAccessStatus</td><td><code>notApplied</code> = no policy matched, often an indicator the attacker found a CA gap. <code>failure</code> = blocked.</td></tr>
                <tr><td class="mono">"Continuous access evaluation"</td><td>Field on sign-in details indicating whether the issued token is CAE-aware. <code>true</code> means revocation will work near-real-time; <code>false</code> means the token must run out the clock.</td></tr>
              </tbody>
            </table>

            <h3><span class="num">4</span> Linkable identifiers - the cross-log correlation key</h3>
            <p>Three identifiers are stamped on every Microsoft-issued token and propagate into every downstream log. These are how you turn "this user signed in" into "and here is every Exchange operation, every Graph call, every SharePoint hit that token authorized." Capture them from the sign-in log entry, then pivot.</p>
            <table class="kv-table">
              <thead><tr><th>Identifier</th><th>Aliases in logs</th><th>Granularity</th><th>What it links</th></tr></thead>
              <tbody>
                <tr><td class="mono">SessionId (SID)</td><td><code>SessionId</code> on Entra sign-in events; <code>AADSessionId</code> on the <code>AppAccessContext</code> object in M365 unified audit log; <code>SessionId</code> field directly in Exchange mailbox audit records since 2019</td><td>One sign-in session</td><td>Every action that token-chain authorized: mailbox reads, file accesses, Graph calls. The single most useful field for OAuth investigations.</td></tr>
                <tr><td class="mono">UniqueTokenIdentifier (UTI)</td><td><code>uniqueTokenIdentifier</code> on Entra SP sign-in events; <code>uti</code> claim in the JWT; surfaces in Microsoft Graph activity logs via the same name</td><td>One specific access token</td><td>Pinpoints which token did exactly which action. Use this when you need to tell apart actions by the same user from two different sessions.</td></tr>
                <tr><td class="mono">CorrelationId</td><td><code>correlationId</code> across Entra sign-in logs, Entra audit logs, and the M365 unified audit log</td><td>One request chain</td><td>Ties together the consent event, the resulting SP sign-in, and the audit-log changes that flow from it.</td></tr>
              </tbody>
            </table>
            <div class="callout">
              <strong>Note on legacy auth</strong>
              <code>SessionId</code> is an Entra ID construct that only exists when the user authenticates via modern auth (OAuth 2.0 / ADAL / MSAL). Legacy basic-auth sessions have no SessionId. If your tenant still permits legacy auth, the absence of a SessionId on a mailbox audit event is itself a signal worth investigating.
            </div>

            <h4>Tracking a token when you don't have the username</h4>
            <p>Real IR rarely starts with "user X is compromised, find their actions". It usually starts with "we have <em>this</em> indicator from somewhere - what did it touch?" The indicator is a token artifact (a UTI, a hashed token, a session id), and the username is what you're trying to <em>derive</em> from it. Five concrete workflows, ordered by how often they come up:</p>

            <p><strong>1. You have a UTI from a Graph activity log entry.</strong> The UTI in <code>properties.signInActivityId</code> is the same value as the <code>uti</code> JWT claim and the <code>uniqueTokenIdentifier</code> field on Entra sign-in events. Walk it backwards to recover the user, then forward to find every other action that token authorized:</p>
            <div class="code-block">
              <div class="code-header">SPL - resolve UTI → user, then find every action by that token<button class="copy-snippet" type="button">copy</button></div>
              <pre>``` Step 1: find the originating sign-in (UTI is unique per token, ~75 min lifetime). ```
``` This recovers userPrincipalName, source IP, device, MFA factor, IdP, conditional ```
``` access result - everything you need to scope the actor.                          ```
`oauthsentry_aad_signin` earliest=-7d
| where uniqueTokenIdentifier="AAAAExampleUtiXXXXXXXX"
| table _time, userPrincipalName, userId, appDisplayName, appId, ipAddress,
        location.city, deviceDetail.operatingSystem, authenticationDetails{}.authenticationMethod,
        conditionalAccessStatus

``` Step 2: find every Graph call made with that token. Same UTI, different stream. ```
`oauthsentry_graph_activity` earliest=-7d
| where 'properties.signInActivityId'="AAAAExampleUtiXXXXXXXX"
| table _time, 'properties.requestMethod', 'properties.requestUri',
        'properties.responseStatusCode', 'properties.responseSizeBytes'
| sort _time

``` Step 3: M365 unified audit log entries authorized by tokens that share the   ```
``` same SESSION (a session can mint many tokens). The session lives longer than ```
``` any one token, so this is the broader scope.                                 ```
`oauthsentry_o365_audit` earliest=-7d
| where like('AppAccessContext.AADSessionId', "&lt;session-id-from-step-1&gt;")
| table _time, Operation, ObjectId, UserId, ClientIP, AppId</pre>
            </div>

            <p><strong>2. You have a GitHub <code>hashed_token</code> from one audit log event.</strong> GitHub publishes the SHA-256 hash of every issued token in the audit log. <a href="https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token">GitHub's hashed-token search</a> takes the hash directly and returns every event - clones, fetches, API calls, repo reads - made by tokens that produced that hash:</p>
            <div class="code-block">
              <div class="code-header">curl - GitHub audit log hashed-token pivot<button class="copy-snippet" type="button">copy</button></div>
              <pre>``` Take the hashed_token value from one event, find every event with the same hash. ```
``` Returns every action that specific token took, regardless of which user owns it. ```
HASH="ExAmPLEhAsHEdT0kEnVaLuEf0rD0cs00xx00000000="
ENC=$(printf %s "$HASH" | jq -sRr @uri)

curl -s \
  -H "Authorization: Bearer $PAT" \
  -H "Accept: application/vnd.github+json" \
  "https://api.github.com/orgs/$ORG/audit-log?phrase=hashed_token:$ENC&amp;per_page=100" \
| jq '.[] | {ts: .["@timestamp"], action, user, actor_ip, repo, oauth_application_name}'</pre>
            </div>

            <p><strong>3. You have a token captured from a phishing kit, stealer log, or beacon.</strong> Decode the JWT (it's three base64-url segments separated by dots; the middle segment is JSON). The <code>uti</code> claim is what you pivot on - same value as the audit-log fields above. The <code>oid</code> claim gives you the user object id, <code>scp</code> lists the granted scopes, <code>iat</code> / <code>exp</code> give you the validity window:</p>
            <div class="code-block">
              <div class="code-header">bash - decode a captured JWT and pull the linkable claims<button class="copy-snippet" type="button">copy</button></div>
              <pre>TOKEN="eyJ0eXAiOi..."   # paste the access_token portion only

``` Decode the middle segment. Bash trick: replace -_/+/= padding, base64 decode. ```
echo "$TOKEN" | cut -d. -f2 | tr '_-' '/+' | base64 -d 2&gt;/dev/null | jq '{
  uti, oid, tid, appid, app_displayname,
  iat: (.iat | todate), exp: (.exp | todate),
  scope: .scp,
  upn: (.upn // .preferred_username // "(no upn claim)"),
  ipaddr
}'

``` The 'uti' value plugs straight into the queries in workflow 1 above to find ```
``` everything that token did inside your tenant.                              ```</pre>
            </div>

            <p><strong>4. You have a Splunk SessionId but no clue who it belongs to.</strong> The <code>SessionId</code> appears on Entra sign-in events, mailbox audit events, and inside the <code>AppAccessContext</code> on every M365 unified audit log entry that involved an OAuth-authorized action. One query against any of those streams resolves the user:</p>
            <div class="code-block">
              <div class="code-header">SPL - resolve a SessionId to a user across streams<button class="copy-snippet" type="button">copy</button></div>
              <pre>``` Try the sign-in log first - cleanest mapping ```
`oauthsentry_aad_signin` SessionId="&lt;session-id&gt;"
| stats values(userPrincipalName) as upns
        values(userId)             as user_oids
        values(appId)               as app_ids
        values(appDisplayName)      as apps
        values(ipAddress)           as src_ips
        earliest(_time) as first_seen
        latest(_time)   as last_seen

``` If no hit there, try the M365 audit log - the SessionId lives nested under   ```
``` AppAccessContext (delegated tokens) or directly on Exchange mailbox events. ```
`oauthsentry_o365_audit` ('AppAccessContext.AADSessionId'="&lt;session-id&gt;" OR SessionId="&lt;session-id&gt;")
| stats values(UserId) as upns dc(Operation) as ops earliest(_time) as first_seen latest(_time) as last_seen</pre>
            </div>

            <p><strong>5. You have an OAuth Application's AppId but want all tokens issued under it.</strong> Every access token under one OAuth app shares the same <code>AppId</code>; what differs is the UTI per token and the SessionId per session. List the unique UTIs the app has minted in your tenant, and you have the full set of distinct tokens it has issued (and therefore the full set of users who consented or signed in via it):</p>
            <div class="code-block">
              <div class="code-header">SPL - enumerate every token issued for one app<button class="copy-snippet" type="button">copy</button></div>
              <pre>`oauthsentry_aad_signin` appId="&lt;app-id&gt;" earliest=-30d
| stats values(uniqueTokenIdentifier) as token_utis
        dc(uniqueTokenIdentifier)     as distinct_tokens
        values(userPrincipalName)     as users
        dc(userPrincipalName)         as distinct_users
        values(SessionId)             as sessions
        dc(SessionId)                 as distinct_sessions
        earliest(_time) as first_seen
        latest(_time)   as last_seen
   by appId</pre>
            </div>

            <p><strong>6. You have an app-only token's traces and need to follow the service principal (no user exists).</strong> App-only tokens (<code>C_Idtyp == "app"</code> in Graph activity logs) have an empty <code>userId</code>; the principal is the service principal itself. The pivot key is <code>servicePrincipalId</code>, and the cross-stream join on UTI still works the same way as for delegated flows. Common case: a vendor like Salesloft Drift discloses a compromise of one of their app registrations - you have an <code>appId</code> from the disclosure, you want every Graph call any of that app's tokens made against any user mailbox in your tenant. Two independent queries (run sequentially):</p>
            <div class="code-block">
              <div class="code-header">SPL - step 1: enumerate app-only Graph activity for one OAuth app<button class="copy-snippet" type="button">copy</button></div>
              <pre>``` Returns one row per (servicePrincipalId, target user object-id) pair, with     ```
``` the endpoints touched, distinct token count, and status codes seen.            ```
``` Copy the targeted_user_oid values out and feed them to step 2 below.           ```

`oauthsentry_graph_activity` earliest=-7d
| eval req_appid  = 'properties.appId'
| eval req_spid   = 'properties.servicePrincipalId'
| eval req_uri    = 'properties.requestUri'
| eval req_uti    = 'properties.signInActivityId'
| eval req_idtyp  = 'properties.C_Idtyp'
| eval req_status = 'properties.responseStatusCode'

| where lower(req_appid) = "&lt;app-id-from-disclosure&gt;"
| where req_idtyp = "app"

``` Pull the target user object id out of /users/{id}/... requestUris ```
| rex field=req_uri "(?i)/v1\.0/users/(?&lt;targeted_user_oid&gt;[0-9a-f-]{36})"

| stats count
        values(req_uri)         as endpoints
        values(req_uti)         as token_utis
        dc(req_uti)             as distinct_tokens
        values(targeted_user_oid) as targeted_user_oids
        dc(targeted_user_oid)     as distinct_users_targeted
        values(req_status)        as status_codes
        earliest(_time)           as first_seen
        latest(_time)             as last_seen
   by req_spid</pre>
            </div>
            <div class="code-block">
              <div class="code-header">SPL - step 2: resolve target user object-ids to display names<button class="copy-snippet" type="button">copy</button></div>
              <pre>``` Run after step 1. Replace &lt;oid1&gt;, &lt;oid2&gt;, ... with the targeted_user_oid     ```
``` values from step 1's output. Pulls a single audit-log row per user that gives ```
``` you the displayName and userPrincipalName.                                    ```

`oauthsentry_aad_audit` earliest=-30d
   targetResources{}.id IN ("&lt;oid1&gt;", "&lt;oid2&gt;", "&lt;oid3&gt;")
| dedup targetResources{}.id
| table targetResources{}.id, targetResources{}.displayName, targetResources{}.userPrincipalName</pre>
            </div>

            <div class="callout">
              <strong>Why these workflows matter</strong>
              An attacker who steals a token doesn't usually announce themselves. The first sign is often a single anomalous event surfacing an unfamiliar UTI / session id / hashed token / service-principal id - and the user (or service principal) the token belongs to is exactly what you're trying to figure out. The token identifier is the through-line; the username is downstream of the identifier, not a prerequisite, and for app-only flows there is no user at all - the service principal is the principal. The six workflows above cover the realistic distribution: most cases start from a UTI in a Graph or sign-in log; the GitHub hash and JWT cases cover external-IOC-driven IR; the SessionId case covers M365-only deployments without the Graph stream; the AppId and app-only servicePrincipalId cases are for assessing exposure scope when a vendor (Drift, Context.ai, etc.) discloses a compromise affecting one of their app registrations.
            </div>

            <h3><span class="num">5</span> Microsoft Graph activity logs - the post-token-theft visibility layer</h3>
            <p>Graph activity logs are the only place that records every individual Graph API call the malicious app made. Without this stream, you can prove the app got a token but not what it did with it - which is the difference between "we were targeted" and "this is the regulator-disclosable scope of the breach". Stream them via Azure Monitor diagnostic settings (category <code>MicrosoftGraphActivityLogs</code>); in Splunk they land under the dedicated <code>oauthsentry_graph_activity</code> macro defined in the Detections tab.</p>

            <p>An anonymized reference event - what one Graph activity record actually looks like in a French-region tenant after a delegated GET against <code>/v1.0/users?$top=2000</code>:</p>
            <div class="code-block">
              <div class="code-header">Microsoft Graph activity log event (anonymized)<button class="copy-snippet" type="button">copy</button></div>
              <pre>{
  "time":             "2026-04-27T21:30:08.296Z",
  "resourceId":       "/TENANTS/&lt;tenant-id&gt;/PROVIDERS/MICROSOFT.AADIAM",
  "operationName":    "Microsoft Graph Activity",
  "operationVersion": "v1.0",
  "category":         "MicrosoftGraphActivityLogs",
  "resultSignature":  "400",
  "durationMs":       "488000",
  "callerIpAddress":  "&lt;source-ip&gt;",
  "correlationId":    "&lt;correlation-id&gt;",
  "level":            "Informational",
  "location":         "France Central",
  "properties": {
    "timeGenerated":      "2026-04-27T21:30:08.296Z",
    "requestId":          "&lt;request-id&gt;",
    "operationId":        "&lt;operation-id&gt;",
    "clientRequestId":    "&lt;client-request-id&gt;",
    "apiVersion":         "v1.0",
    "requestMethod":      "GET",
    "responseStatusCode": 400,
    "tenantId":           "&lt;tenant-id&gt;",
    "durationMs":         488000,
    "responseSizeBytes":  286,
    "signInActivityId":   "&lt;uti&gt;",
    "appId":              "d3590ed6-52b3-4102-aeff-aad2292ab01c",     ``` Microsoft Office (FOCI app) ```
    "UserPrincipalObjectID": "&lt;user-objectid&gt;",
    "scopes":             "Mail.ReadWrite Mail.Send Files.ReadWrite.All Directory.Read.All Directory.AccessAsUser.All Group.ReadWrite.All User.ReadWrite ... (~45 scopes)",
    "wids":               "b79fbf4d-3ef9-4689-8143-76b194e85509",     ``` default-user wid: regular non-admin user ```
    "userId":             "&lt;user-objectid&gt;",
    "userAgent":          "User-Agent: Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0;  rv:11.0) like Gecko",
    "ipAddress":          "&lt;source-ip&gt;",
    "requestUri":         "https://graph.microsoft.com/v1.0/users?$top=2000&amp;$select=id,displayName,mail,userPrincipalName,accountEnabled",
    "policyEvaluated":    false,
    "tokenIssuedAt":      "2026-04-27T13:19:23Z"
  },
  "tenantId": "&lt;tenant-id&gt;"
}</pre>
            </div>

            <p>The same event shape, but for an <strong>app-only</strong> token reading another user's mailbox content - the post-vendor-compromise pattern that drives most of OAuthSentry's malicious feed (Salesloft Drift, Context.ai etc. all fall in this category):</p>
            <div class="code-block">
              <div class="code-header">Microsoft Graph activity log event - app-only flow (anonymized)<button class="copy-snippet" type="button">copy</button></div>
              <pre>{
  "time":             "2026-04-28T14:44:12.562Z",
  "resourceId":       "/TENANTS/&lt;tenant-id&gt;/PROVIDERS/MICROSOFT.AADIAM",
  "operationName":    "Microsoft Graph Activity",
  "category":         "MicrosoftGraphActivityLogs",
  "resultSignature":  "200",                                            ``` success ```
  "callerIpAddress":  "&lt;source-ip&gt;",                                       ``` AWS eu-west-1 in this real example ```
  "location":         "North Europe",
  "properties": {
    "requestMethod":      "GET",
    "responseStatusCode": 200,
    "responseSizeBytes":  11785,                                        ``` ~12 KB returned ```
    "signInActivityId":   "&lt;uti&gt;",
    "appId":              "&lt;app-id&gt;",                                   ``` custom OAuth app, not a FOCI app ```
    "servicePrincipalId": "&lt;sp-objectid&gt;",                              ``` app-only: SP is the principal ```
    "UserPrincipalObjectID": "&lt;sp-objectid&gt;",                           ``` same as servicePrincipalId on app-only ```
    "userId":             "",                                           ``` empty - no user ```
    "scopes":             "",                                           ``` empty - app-only tokens have no scopes ```
    "roles":              "Mail.Read MailboxSettings.Read User.Read.All", ``` granted application permissions ```
    "wids":               "0997a1d0-0d1d-4acb-b408-d5ca73121e90",       ``` Directory Readers - typical sole wid for an SP with no other roles ```
    "C_Idtyp":            "app",                                        ``` THE single-best delegated-vs-app-only marker ```
    "C_Sid":              "",                                           ``` empty - no user session ```
    "C_DeviceId":         "",                                           ``` empty - no device ```
    "userAgent":          "Python/3.11 aiohttp/3.13.4",                 ``` async Python HTTP client - tooling UA ```
    "ipAddress":          "&lt;source-ip&gt;",
    "requestUri":         "https://graph.microsoft.com/v1.0/users/&lt;target-user-objectid&gt;/messages/&lt;message-id&gt;/$value",
    "policyEvaluated":    false,
    "tokenIssuedAt":      "2026-04-28T14:18:56Z"                        ``` token 26 min old when used ```
  },
  "tenantId": "&lt;tenant-id&gt;"
}</pre>
            </div>

            <p>Five things this app-only event tells a defender, contrasting with the delegated event above:</p>
            <ul>
              <li><strong>This is an app-only flow, not delegated.</strong> The single highest-fidelity tell is <code>properties.C_Idtyp == "app"</code> - the same JWT <code>idtyp</code> claim. Reinforced by <code>scopes</code> being empty (app-only tokens have <em>roles</em>, not scopes) and <code>roles</code> being populated with the granted application permissions instead. <strong>Every detection and pivot for app-only flows must use <code>servicePrincipalId</code> instead of <code>userId</code></strong> - the latter is empty.</li>
              <li><strong>The app token is reading another user's specific email by object-id and message-id.</strong> <code>requestUri</code> matches <code>/v1.0/users/{user-objectid}/messages/{message-id}/$value</code>. The <code>/$value</code> suffix returns raw MIME (full email including attachments), which is the most data-bearing form of mail read in the Graph API. App-only <code>Mail.Read</code> can read <em>any</em> mailbox in the tenant - this is the threat surface that Salesloft Drift, Context.ai and similar publisher-compromise scenarios exploited.</li>
              <li><strong>Source is in published Amazon EC2 IP space.</strong> The <code>34.x.x.x</code> blocks are unambiguously AWS - cross-check the specific region against the live <a href="https://ip-ranges.amazonaws.com/ip-ranges.json">ip-ranges.json</a> (in this real example the address resolves to <code>eu-west-1</code> / Ireland, but exact ranges shift over time so always verify against the current published list). Many legitimate enterprise mail-reading SaaS products run on AWS - eDiscovery, archiving, journaling, security-scanning vendors. The legitimacy question is whether the <em>specific</em> SP shown here has a documented business reason to read mail from AWS infrastructure. Build a per-tenant allowlist of (servicePrincipalId, source-ASN) pairs that map to known mail-reading vendors; alert on any other combination.</li>
              <li><strong>User-agent is a Python async HTTP client.</strong> <code>Python/3.11 aiohttp/3.13.4</code> is async Python. Real enterprise mail products almost always identify themselves with a vendor-branded UA. <code>aiohttp</code> shows up in attacker tooling and in homegrown SOC scripts in roughly equal measure - context determines which.</li>
              <li><strong>Token is fresh (~26 min old).</strong> <code>tokenIssuedAt</code> at 14:18:56, event at 14:44:12 - well within the default 60-90 minute access-token lifetime. Recent token issuance combined with mailbox-content reads is consistent with active operation rather than legacy automation that just hasn't been touched in months.</li>
            </ul>

            <p>How to tell delegated and app-only flows apart in the Graph activity log, at a glance:</p>
            <table class="kv-table">
              <thead><tr><th>Field</th><th>Delegated (user-on-behalf)</th><th>App-only (service principal)</th></tr></thead>
              <tbody>
                <tr><td class="mono">properties.C_Idtyp</td><td class="mono">user</td><td class="mono"><strong>app</strong></td></tr>
                <tr><td class="mono">properties.scopes</td><td>populated (space-separated scope strings like <code>Mail.Read User.Read.All</code>)</td><td><strong>empty string</strong></td></tr>
                <tr><td class="mono">properties.roles</td><td>typically empty</td><td><strong>populated</strong> with granted application permissions</td></tr>
                <tr><td class="mono">properties.userId</td><td>the acting user's object id</td><td><strong>empty / absent</strong></td></tr>
                <tr><td class="mono">properties.UserPrincipalObjectID</td><td>the acting user's object id</td><td>the <strong>service principal's</strong> object id (same as <code>servicePrincipalId</code>)</td></tr>
                <tr><td class="mono">properties.servicePrincipalId</td><td>absent</td><td><strong>populated</strong> (the principal)</td></tr>
                <tr><td class="mono">properties.C_Sid</td><td>the user's session id</td><td><strong>empty</strong> (no user session)</td></tr>
                <tr><td class="mono">properties.C_DeviceId</td><td>often populated</td><td><strong>empty</strong></td></tr>
                <tr><td class="mono">properties.wids</td><td>user's role list; <code>b79fbf4d-...</code> = default-user (no admin role)</td><td>SP's role list; <code>0997a1d0-...</code> = Directory Readers (the typical sole wid when the SP has no other directory roles assigned)</td></tr>
                <tr><td class="mono">requestUri shape</td><td>often <code>/me/...</code> for the acting user's own data</td><td>almost always <code>/users/{id}/...</code> or <code>/groups/{id}/...</code> - app reads any user's data</td></tr>
              </tbody>
            </table>

            <p>Five things this single event tells a defender, in order of fidelity:</p>
            <ul>
              <li><strong>Token came from a FOCI client.</strong> <code>properties.appId == d3590ed6-52b3-4102-aeff-aad2292ab01c</code> is Microsoft Office, one of the eleven Family of Client IDs apps. Microsoft Office talking to <code>/users</code> is firmly outside its normal traffic shape - Office hits <code>/me/messages</code>, <code>/me/drive</code>, <code>/me/calendar</code>, <code>/me/joinedTeams</code>, never <code>/users</code> at scale. Off-pattern FOCI traffic is the post-token-theft signature TeamFiltration / UTA0352 / UNK_SneakyStrike rely on.</li>
              <li><strong>Directory enumeration intent (T1087.004).</strong> <code>requestUri</code> contains <code>/v1.0/users?$top=2000&amp;$select=id,displayName,mail,userPrincipalName,accountEnabled</code> - a textbook recon query: pull every account, who's enabled, enough metadata to pivot. The request returned 400 because Graph caps <code>$top</code> at 999 for <code>/users</code> and high page sizes need <code>ConsistencyLevel: eventual</code>; the attacker's next attempt would be <code>$top=999</code> with the right header. <strong>Alert on the attempt, not the result.</strong></li>
              <li><strong>Massive scope set on a delegated token.</strong> The <code>scopes</code> field carries ~45 distinct scopes including multiple <code>*.ReadWrite.All</code>. A normal Microsoft Office client doesn't ship this much surface area in a single token; this looks like custom developer tooling (or attacker tooling impersonating a FOCI client). Tokens with &gt;20 scopes including any <code>*.ReadWrite.All</code> against a FOCI app id are anomalous on their own.</li>
              <li><strong>Acting user is a regular non-admin.</strong> <a href="https://learn.microsoft.com/en-us/answers/questions/678108/what-b79fbf4d-3ef9-4689-8143-76b194e85509-in-wids">The <code>wids</code> claim of <code>b79fbf4d-3ef9-4689-8143-76b194e85509</code> is the default-user wid; it appears on every non-guest account and indicates an ordinary user with no admin role</a>. A non-admin pulling 2000 users via Graph from an Office token is exactly the kind of "compromised account doing unusual recon" you should page on.</li>
              <li><strong>User-agent is wrong twice.</strong> First, <code>Mozilla/5.0 (...; MSIE 11, Windows NT 6.3; Trident/7.0; ...)</code> is Internet Explorer 11 on Windows 8.1 - both end-of-life by 2023. Real Microsoft Office clients in 2026 don't ship that UA. Second, the literal value starts with the string <code>User-Agent: User-Agent:</code> (doubly-prefixed); this is a tooling bug where whatever made the request set the header value to <code>User-Agent: Mozilla/5.0...</code> instead of just <code>Mozilla/5.0...</code>. Both are weak signals on their own; doubly-prefixed UAs across a tenant are rare enough to hunt directly.</li>
            </ul>

            <p>The full set of fields on every record:</p>
            <ul>
              <li><code>properties.requestUri</code> - which Graph endpoint was called (<code>/v1.0/users</code>, <code>/v1.0/me/messages</code>, <code>/v1.0/me/drive/root/children</code>, etc). The single most useful field for attack-class identification.</li>
              <li><code>properties.requestMethod</code> - GET for read, POST/PATCH/DELETE for modification. Modification verbs against directory or app endpoints from a delegated user token are very rare in normal traffic.</li>
              <li><code>properties.responseStatusCode</code> - 200/204 = data returned; 400 = malformed (often attacker first attempt); 401/403 = blocked by CA or scope; 429 = throttled (high-volume recon).</li>
              <li><code>properties.appId</code> - the OAuth app id whose token authorized this call. Match against OAuthSentry's malicious or risky feeds, and check whether it's a FOCI app talking to off-pattern endpoints.</li>
              <li><code>properties.userId</code> / <code>properties.UserPrincipalObjectID</code> - on whose behalf the call was made (delegated tokens) or null/empty for app-only flows.</li>
              <li><code>properties.scopes</code> - the scopes carried by the token. Cross-reference against Merill's <a href="https://graphpermissions.merill.net/">graphpermissions.merill.net</a> to translate each scope into the exact list of endpoints it unlocks.</li>
              <li><code>properties.wids</code> - well-known role IDs the user holds. Combined with <code>userId</code>, this tells you whether the actor is a regular user or a privileged admin - which dramatically changes what "this Graph call is normal" means.</li>
              <li><code>properties.signInActivityId</code> - the <strong>UTI</strong> claim of the token, the same identifier surfaced as <code>uniqueTokenIdentifier</code> on Entra sign-in events. The link back to the originating sign-in. Pivot via the section 4 table.</li>
              <li><code>properties.userAgent</code> - the HTTP User-Agent header. Real Microsoft client UAs are well-known and stable per-app; anything else (Trident, python-requests, curl, Go-http-client, Java, doubly-prefixed) is suspicious.</li>
              <li><code>properties.ipAddress</code> / <code>callerIpAddress</code> - source. Cross-check against the user's normal sign-in pattern.</li>
              <li><code>properties.tokenIssuedAt</code> - when the token was originally issued. The delta between <code>tokenIssuedAt</code> and the event time tells you whether the call was made with a fresh or a refresh-derived token, which sets your window of vulnerability after compromise. <strong>Microsoft's defaults:</strong> access tokens last a randomized <strong>60-90 minutes (75 min average)</strong> for Conditional-Access-enabled tenants, or a flat <strong>2 hours</strong> for clients like Microsoft Teams and Microsoft 365 in tenants without CA; refresh tokens last <strong>90 days</strong> (24 hours for single-page apps), rolling-renewed on every use. Authorization codes (used only at the consent prompt) live exactly <strong>10 minutes</strong> and are not configurable. <strong>If your tenant has a Configurable Token Lifetime (CTL) policy that sets <code>AccessTokenLifetime</code> above the default</strong> - up to the maximum 24 hours - that is itself a security finding: it widens the window during which a stolen access token remains valid and unrevocable (per the <a href="#/investigation/remediation" data-route="/investigation/remediation">Remediation</a> note on revocation limits). Audit your CTL policies via <code>Get-MgPolicyTokenLifetimePolicy</code>; treat any policy with <code>AccessTokenLifetime</code> above two hours as worth a documented business justification.</li>
              <li><code>properties.responseSizeBytes</code> - large responses on <code>/messages</code> or <code>/drive/...</code> endpoints = bulk exfiltration.</li>
              <li><code>properties.policyEvaluated</code> - whether Conditional Access evaluated this call. Many Graph operations don't trigger CA evaluation; this is normal but worth knowing during incident reconstruction.</li>
            </ul>

            <div class="callout">
              <strong>Enable this now</strong>
              Graph activity logs are off by default. Turn them on (Entra admin center &rarr; Monitoring &amp; health &rarr; Diagnostic settings &rarr; add <code>MicrosoftGraphActivityLogs</code>) and route them to whatever destination feeds your Splunk index. The <a href="#/investigation/detections" data-route="/investigation/detections">Detections tab</a> ships Detection 10 (FOCI-token directory enumeration) and the <a href="#/investigation/hunting" data-route="/investigation/hunting">Hunting tab</a> ships Hunts 9 and 10 specifically for this stream. Without retroactive logs, post-incident scope is largely guesswork.
            </div>

            <h3><span class="num">6</span> Mailbox &amp; artifact-level traces</h3>
            <p>For mail-scope abuse - the most common goal of OAuth phishing - Exchange has its own audit trail. The richest event is <code>MailItemsAccessed</code>, but it has caveats every investigator must know.</p>

            <div class="callout warn">
              <strong>License and throttling caveats for MailItemsAccessed</strong>
              Following Microsoft's response to Storm-0558 in 2023, <code>MailItemsAccessed</code> moved from Purview Audit (Premium) to Purview Audit (Standard) - rolled out from June 2024 and complete by September 2024 - so it is now generated by default for any user on an Office 365 E3/E5 or Microsoft 365 E3/E5 license. <strong>Caveat</strong>: for mailboxes whose audit configuration was customized before the rollout, the new events are not auto-added; check <code>(Get-Mailbox).DefaultAuditSet</code> and add <code>MailItemsAccessed</code> to <code>AuditOwner</code>/<code>AuditDelegate</code> via <code>Set-Mailbox</code> if missing. Throttling: bind-event logging is capped at <strong>1,000 audit records per mailbox per 24 hours</strong>; once exceeded, MailItemsAccessed bind events for that mailbox stop logging for 24 hours (sync events, <code>Send</code>, <code>SoftDelete</code>, and other audit actions continue unaffected; admin searches against other mailboxes are also exempt). The first 1,000 events ARE recorded - the silenced window is the follow-on 24 hours. Throttled mailboxes are flagged with <code>IsThrottled = True</code> on the trigger record. Microsoft says &lt;1% of mailboxes ever throttle, so an <code>IsThrottled = True</code> event is itself a strong IOC.
            </div>

            <table class="kv-table">
              <thead><tr><th>Artifact</th><th>Where to look</th><th>What it shows</th></tr></thead>
              <tbody>
                <tr><td>Mailbox audit (M365 unified)</td><td class="mono">Search-UnifiedAuditLog -Operations MailItemsAccessed -FreeText &lt;appid&gt;</td><td>Every read keyed to <code>ClientAppId</code>, <code>ClientInfoString</code>, <code>SessionId</code>, <code>OperationProperties.ClientIPAddress</code>. <code>MailAccessType = Sync</code> = bulk folder pull (Outlook desktop / IMAP / EWS); <code>Bind</code> = single message access. CISA's Sparrow uses this exact query.</td></tr>
                <tr><td>Mailbox audit</td><td class="mono">Send / SendAs / SendOnBehalf</td><td>Outbound mail by the attacker through the OAuth token. Pivot on the same <code>SessionId</code> as the read events.</td></tr>
                <tr><td>Inbox rules</td><td class="mono">New-InboxRule / Set-InboxRule / UpdateInboxRules</td><td>Auto-forward, move-to-RSS-feeds, mark-as-read rules created during the attack window. Common pattern: forward-then-delete to hide replies.</td></tr>
                <tr><td>Mail flow rules</td><td class="mono">New-TransportRule / Set-TransportRule</td><td>Tenant-wide forwarding rules created via Graph after admin-consent abuse.</td></tr>
                <tr><td>Mailbox permissions</td><td class="mono">Add-MailboxPermission / Add-RecipientPermission</td><td>Send-As / Send-On-Behalf delegations added to give the attacker continued sending access after token revocation.</td></tr>
                <tr><td>Search activity (E5)</td><td class="mono">SearchQueryInitiatedExchange / SearchQueryInitiatedSharePoint</td><td>Off by default - must be enabled per-mailbox via <code>Set-Mailbox -AuditOwner @{Add="SearchQueryInitiated"}</code>. Reveals exactly what the attacker searched for.</td></tr>
              </tbody>
            </table>

            <p>Pivot pattern using SessionId once you have one suspicious event:</p>
            <div class="code-block">
              <div class="code-header">PowerShell - Exchange Online<button class="copy-snippet" type="button">copy</button></div>
              <pre># Find candidate sessions tied to the malicious app id
Search-UnifiedAuditLog -StartDate 2026-04-20 -EndDate 2026-04-27 `
    -Operations MailItemsAccessed -FreeText "&lt;malicious-app-id&gt;" `
    -ResultSize 5000 |
  Select-Object -ExpandProperty AuditData | ConvertFrom-Json |
  Select-Object CreationTime, UserId, ClientAppId, SessionId, ClientIPAddress, MailAccessType |
  Sort-Object SessionId, CreationTime

# Pull every record under one SessionId across all Exchange operations
$sid = "&lt;session-id-from-above&gt;"
Search-UnifiedAuditLog -StartDate 2026-04-20 -EndDate 2026-04-27 `
    -RecordType ExchangeItem,ExchangeItemAggregated,ExchangeAdmin -ResultSize 5000 |
  Select-Object -ExpandProperty AuditData | ConvertFrom-Json |
  Where-Object { $_.SessionId -eq $sid } |
  Select-Object CreationTime, UserId, Operation, ClientIPAddress |
  Sort-Object CreationTime</pre>
            </div>

            <h3><span class="num">7</span> Device registration (the persistence step)</h3>
            <p>Recent campaigns (UTA0355, Storm-2372) chain consent abuse with device registration to mint a Primary Refresh Token (PRT) - a token-granting token that survives password reset and outlasts most refresh-token revocations because it's tied to the registered device, not the user session.</p>
            <ul>
              <li><strong>Audit log op</strong> <code>Add device</code> or <code>Add registered owner to device</code> where the registering app id is <code>29d9ed98-a469-4536-ade2-f981bc1d605e</code> (Microsoft Authentication Broker) - the same client used by ROADtools / ROADtx in UTA0355 emulation.</li>
              <li><strong>Sign-in logs</strong> entries where <code>DeviceDetail.DeviceId</code> is freshly created (not seen in last 7-30 days) and <code>IsCompliant = false</code>, <code>IsManaged = false</code>.</li>
              <li><strong>Sign-in logs</strong> entries where <code>AuthenticationProtocol = deviceCode</code> = device-code flow phishing.</li>
              <li><strong>Conditional Access bypasses</strong> where the new device satisfies "compliant device" requirement because the attacker registered it themselves and joined it.</li>
              <li><strong>Audit log op</strong> <code>Register device</code> immediately followed by an MFA registration event (<code>Update user</code> with <code>StrongAuthenticationMethod</code> changes) for the same user is the strongest indicator of UTA0355's playbook.</li>
            </ul>

            <h3><span class="num">8</span> Reconstructing the timeline</h3>
            <p>Pull all of the above into a single chronology keyed off the application id and the affected user principal. The complete attack chain looks like this; use <code>CorrelationId</code> to glue events 1-2 together and <code>SessionId</code> + <code>UniqueTokenIdentifier</code> to glue events 3-5 together:</p>
            <ol>
              <li>User clicks phishing link &#8594; first sign-in to attacker app (<code>oauthsentry_aad_signin</code> with <code>category = SignInLogs</code>, captures <code>SessionId</code>)</li>
              <li>User accepts consent prompt &#8594; <code>Consent to application</code> + <code>Add OAuth2PermissionGrant</code> + (if new) <code>Add service principal</code> in <code>oauthsentry_o365_audit</code> (same <code>CorrelationId</code> as the sign-in)</li>
              <li>App receives access + refresh tokens &#8594; service principal sign-ins begin (<code>oauthsentry_aad_sp_signin</code>, each with its own <code>uniqueTokenIdentifier</code>)</li>
              <li>App calls Graph &#8594; Graph activity log entries linked by <code>SignInActivityId</code> = the UTI from step 3</li>
              <li>App reads mail &#8594; <code>MailItemsAccessed</code> events in <code>oauthsentry_o365_audit</code> with the same <code>AppAccessContext.AADSessionId</code> from step 1</li>
              <li>(optional persistence) <code>New-InboxRule</code>, <code>Add registered owner to device</code>, <code>Add service principal credentials</code> events in the same audit stream</li>
              <li>Attacker uses refresh token from new IPs &#8594; service principal sign-ins from anomalous geography, but with the same <code>appId</code></li>
            </ol>

            <h3><span class="num">9</span> SPL starter pack</h3>
            <p>Five investigator-grade SPL queries that map onto everything described in the table above. They reuse the macro stack defined in the Detections tab (<code>oauthsentry_o365_audit</code>, <code>oauthsentry_aad_signin</code>, etc.) so you only configure index/sourcetype once.</p>
            <div class="code-block">
              <div class="code-header">SPL<button class="copy-snippet" type="button">copy</button></div>
              <pre>``` 1. Every consent grant or grant-creation event in the last 30 days for known-malicious app ids ```
`oauthsentry_o365_audit` earliest=-30d
| eval Operation = replace(Operation, "\.$", "")
| where Operation IN (
    "Consent to application",
    "Add OAuth2PermissionGrant",
    "Add delegated permission grant",
    "Add app role assignment to service principal",
    "Add service principal",
    "Add service principal credentials"
  )
| spath path=ModifiedProperties{}.Name     output=mp_names
| spath path=ModifiedProperties{}.NewValue output=mp_values
| eval appid = lower(ObjectId)  ``` ObjectId is the AppId on consent events; M365 unified shape has no TargetId.ServicePrincipalNames ```
| eval scope_idx = mvfind(mp_names, "(?i)ConsentAction\.Permissions")
| eval scope     = lower(mvindex(mp_values, scope_idx))
| eval admin_idx = mvfind(mp_names, "(?i)ConsentContext\.IsAdminConsent")
| eval is_admin  = lower(mvindex(mp_values, admin_idx))
| `oauthsentry_malicious_lookup`
| where oas_category = "malicious"
| table _time Operation UserId ClientIP appid scope is_admin oas_severity oas_comment

``` 2. Service principal sign-ins from a known-bad app id, summarised ```
`oauthsentry_aad_sp_signin` earliest=-30d
| eval appid = lower(appId)
| `oauthsentry_malicious_lookup`
| where oas_category = "malicious" AND ResultType = "0"
| stats earliest(_time) as first_seen
        latest(_time)   as last_seen
        values(ipAddress)             as ips
        values(location)              as countries
        values(resourceDisplayName)   as resources
        dc(uniqueTokenIdentifier)     as tokens
    by appid, servicePrincipalName

``` 3. Pivot from one suspicious sign-in to every Exchange action in the same session. ```
``` Replace &lt;SID&gt; with the SessionId from the sign-in record. ```
`oauthsentry_o365_audit` earliest=-7d
| eval session = coalesce('AppAccessContext.AADSessionId', SessionId)
| where session = "&lt;SID&gt;"
| eval src_ip = coalesce(ClientIPAddress, ClientIP)
| spath path=Item.Subject output=item_subject
| table _time UserId Operation src_ip item_subject ResultStatus
| sort _time

``` 4. Pivot from one suspicious sign-in to every other audited action by the same UTI. ```
``` Replace &lt;UTI&gt; with the UniqueTokenIdentifier from the sign-in record. UTI surfaces both ```
``` in Entra sign-in logs (uniqueTokenIdentifier) and in M365 audit data (AppAccessContext.UniqueTokenId). ```
(`oauthsentry_aad_signin` uniqueTokenIdentifier="&lt;UTI&gt;") OR
(`oauthsentry_o365_audit` "AppAccessContext.UniqueTokenId"="&lt;UTI&gt;")
| eval src_ip = coalesce(ipAddress, ClientIPAddress, ClientIP)
| eval who    = coalesce(UserId, userPrincipalName, servicePrincipalName)
| table _time sourcetype Operation operationName who src_ip
| sort _time

``` 5. Newly-observed first-party app id with broad scopes (catches UTA0352-style abuse). ```
``` Visual Studio Code is a legit app, but a non-developer principal consenting it is suspicious. ```
`oauthsentry_aad_signin` appId="aebc6443-996d-45c2-90f0-388ff96faa56" earliest=-7d
| eval upn = lower(userPrincipalName)
| join type=leftanti upn [
    search `oauthsentry_aad_signin` appId="aebc6443-996d-45c2-90f0-388ff96faa56"
           earliest=-187d latest=-7d
    | eval upn = lower(userPrincipalName)
    | dedup upn
    | fields upn
  ]
| table _time upn ipAddress location resourceDisplayName</pre>
            </div>
          </div>
        </div>

        <!-- ===== Detections ===== -->
        <div class="invest-section" id="sub-detections" hidden>
          <div class="doc-block">
            <h2>Detections for OAuth abuse</h2>
            <p class="doc-lede">Thirteen SPL detections built for teams running M365 audit and Microsoft Entra logs through Splunk. Every search uses macros so the same logic works whether you're on the <strong>Splunk Add-on for Microsoft Office 365</strong> (sourcetypes <code>o365:management:activity</code>, <code>azure:audit</code>) or the <strong>Splunk Add-on for Microsoft Cloud Services</strong> (sourcetypes prefixed <code>mscs:</code>) - define the macros once and the searches travel with you. Tradecraft references in each detection point back to the Tradecraft tab.</p>

            <div class="callout">
              <strong>Macros to define before running anything below</strong>
              Drop these into <code>$SPLUNK_HOME/etc/apps/&lt;your-app&gt;/local/macros.conf</code>, restart, and adjust the <code>index=</code> and <code>sourcetype=</code> values to match your environment. Every detection in this tab references at least one of them, so you change five lines in one place rather than nine searches.
            </div>

            <div class="code-block">
              <div class="code-header">macros.conf<button class="copy-snippet" type="button">copy</button></div>
              <pre>[oauthsentry_o365_audit]
# M365 unified audit log via the Splunk Add-on for Microsoft Cloud Services
# (mscs:o365:management:activity) or the older Splunk Add-on for M365
# (o365:management:activity). Adjust index= to wherever you land it.
definition = (index=o365 (sourcetype=mscs:o365:management:activity OR sourcetype=o365:management:activity))
iseval = 0

[oauthsentry_aad_audit]
# Microsoft Entra audit log streamed via Azure Monitor diagnostic settings.
definition = (index=azure (sourcetype=mscs:azure:audit OR sourcetype=azure:audit))
iseval = 0

[oauthsentry_aad_signin]
# Microsoft Entra sign-in logs (interactive, non-interactive, SP, managed identity).
definition = (index=azure (sourcetype=mscs:azure:signin OR sourcetype=azure:signin))
iseval = 0

[oauthsentry_aad_sp_signin]
# Service principal sign-ins only.
definition = `oauthsentry_aad_signin` category=ServicePrincipalSignInLogs
iseval = 0

[oauthsentry_malicious_lookup]
# Decorate results with OAuthSentry malicious-feed metadata.
# Assumes you have a lookup definition named oauthsentry_malicious whose lookup file is
# refreshed from https://oauthsentry.github.io/feeds/all/all_malicious.csv (any cadence).
definition = lookup oauthsentry_malicious appid OUTPUT category as oas_category, severity as oas_severity, comment as oas_comment
iseval = 0

[oauthsentry_risky_lookup]
definition = lookup oauthsentry_risky appid OUTPUT category as oas_risky_category, severity as oas_risky_severity
iseval = 0

[oauthsentry_compliance_lookup]
definition = lookup oauthsentry_compliance appid OUTPUT category as oas_compliance_category
iseval = 0

[oauthsentry_graph_activity]
# Microsoft Graph activity logs streamed via Azure Monitor diagnostic settings
# (category=MicrosoftGraphActivityLogs). The macro is intentionally permissive so
# it works across the common Splunk Add-on configurations that ship Graph data:
#
#   - Splunk Add-on for Microsoft Cloud Services via Event Hub
#       index=o365  sourcetype=mscs:azure:eventhub  category=MicrosoftGraphActivityLogs
#   - Older / legacy Azure add-ons
#       index=azure category=MicrosoftGraphActivityLogs
#   - Custom HTTP Event Collector pipelines
#       sourcetype=azure:audit:graphactivity  (or whatever your team chose)
#
# Tighten the macro to your actual index= and sourcetype= once you know them; the
# (index=o365 OR index=azure) clause is for portability and will resolve via the
# index ACL automatically.
definition = ((index=o365 OR index=azure) sourcetype IN (mscs:azure:eventhub, azure:audit:graphactivity, mscs:azure:graphactivity) category=MicrosoftGraphActivityLogs)
iseval = 0</pre>
            </div>

            <h3 id="enrichment-pattern">Reusable enrichment pattern</h3>
            <p>Most detections in this tab produce one row per (user, token) or (user, token, hour) and surface bare object IDs and app GUIDs - useful but not directly actionable. The block below appends user, role and OAuth-app-classification metadata to any such result set, and escalates the alert tier when the token came from an app OAuthSentry classifies as malicious or risky. Apply at the end of any detection that produces <code>req_userid</code> + <code>appids</code> columns:</p>
            <div class="code-block">
              <div class="code-header">SPL - reusable enrichment + risk-based severity escalation<button class="copy-snippet" type="button">copy</button></div>
              <pre>``` --- 1. Resolve userId -> name + role from the directory lookup --- ```
``` Detection 13 maintains oauthsentry_user_directory.csv. The lookup keys      ```
``` on user_id (lowercase GUID) and outputs email, display name, jobTitle and  ```
``` an active/dormant status flag.                                             ```
| lookup oauthsentry_user_directory.csv user_id as req_userid
    OUTPUT user_email, user_display_name, user_jobtitle, status as user_status

``` --- 2. Resolve appId -> name + risk classification --- ```
``` 'appids' is multi-value but virtually always single-valued for one (user,  ```
``` token) pair; pull the first as a scalar. The three OAuthSentry catalog     ```
``` lookups are queried in priority order (malicious wins over risky wins      ```
``` over compliance) so a rare appid present in two CSVs resolves correctly.   ```
``` lower() normalises case since Splunk lookups are case-sensitive by default. ```
| eval primary_appid = lower(mvindex(appids, 0))
| lookup oauthsentry_malicious  appid as primary_appid
    OUTPUT appname as malicious_app_name, category as malicious_cat, severity as malicious_sev
| lookup oauthsentry_risky      appid as primary_appid
    OUTPUT appname as risky_app_name,     category as risky_cat,     severity as risky_sev
| lookup oauthsentry_compliance appid as primary_appid
    OUTPUT appname as compliance_app_name

| eval app_name     = coalesce(malicious_app_name, risky_app_name,
                               compliance_app_name, primary_appid)
| eval app_category = coalesce(malicious_cat, risky_cat, "compliance", "uncategorized")
| eval app_severity = coalesce(malicious_sev, risky_sev, "info")

``` --- 3. Risk-based severity escalation --- ```
``` Bytes / record-count thresholds in each detection give a baseline severity. ```
``` Override that baseline when the underlying app is malicious or risky.       ```
``` 'severity' must already exist on the row from the detection's own logic;    ```
``` if it does not, this block is a no-op for the detection's tier and only    ```
``` provides naming - which is fine.                                            ```
| eval severity = case(
    app_category = "malicious",                              "critical",
    app_category = "risky" AND severity != "critical",       "high",
    1==1,                                                     severity
  )

``` --- 4. Tidy intermediate fields out of the final result --- ```
| fields - malicious_app_name, malicious_cat, malicious_sev,
          risky_app_name, risky_cat, risky_sev, compliance_app_name</pre>
            </div>
            <p>Three things this enrichment buys you:</p>
            <ul>
              <li><strong>Routable alert text.</strong> Instead of "user <code>6b579021-2931-4f1b-...</code> exfiltrated 47 MB", the alert reads "user alice.example@yourdomain.com (Senior Finance Analyst) exfiltrated 47 MB via Microsoft Office (compliance)" - the on-call engineer knows immediately who to call and whether the app is in scope for normal use.</li>
              <li><strong>Risk-context promotion.</strong> 10 MB pulled by a token issued to a <em>known-malicious</em> app deserves the same treatment as 100 MB pulled by an unknown token - byte volume alone misses the IOC context. The case() escalation handles this automatically; teams that want the original byte-derived tier preserved can simply remove the case() block.</li>
              <li><strong>Status flag for dormant accounts.</strong> Detection 13's <code>user_status</code> column distinguishes "active user signed in today" from "user object id from a soft-deleted account". A dormant account producing OAuth events is itself an IR signal worth flagging in the alert subject.</li>
            </ul>
            <p>Detections that benefit (call out which ones in their tuning sections): <strong>10, 11, 12</strong> all produce the right input columns and gain both naming and risk escalation. Detections <strong>1, 2, 4, 8</strong> already filter on app classification (so the escalation is redundant) but still benefit from the user enrichment - apply only step 1 of the block above. Hunts <strong>9</strong> and <strong>10</strong> in the Hunting tab follow the same pattern.</p>

            <h3><span class="num">1</span> Consent or grant created for a known-malicious application id</h3>
            <p>Highest-fidelity OAuth detection: a user explicitly consented, or an admin created a grant, for an app OAuthSentry already classifies as malicious. Should fire as critical and page on-call. The unified audit log emits at least four operation names for the same underlying consent action; this search covers them all and normalises the trailing-period quirk the M365 Management Activity API sometimes adds (<code>"Consent to application."</code>).</p>
            <div class="code-block">
              <div class="code-header">SPL<button class="copy-snippet" type="button">copy</button></div>
              <pre>`oauthsentry_o365_audit`
| eval Operation = replace(Operation, "\.$", "")
| where Operation IN (
    "Consent to application",
    "Add OAuth2PermissionGrant",
    "Add delegated permission grant",
    "Add app role assignment to service principal"
  )

``` AppId is the top-level ObjectId on Consent to application events.    ```
``` TargetId.ServicePrincipalNames does NOT exist in the M365 unified     ```
``` shape - it's an Azure AD diagnostic-stream field. Fall back to the    ```
``` AppId nested in ExtendedProperties.additionalDetails for grant ops    ```
``` whose ObjectId is the grant id rather than the app id.                ```
| eval appid = lower(ObjectId)

``` Pull consent context (admin vs user) and the scope payload from       ```
``` ModifiedProperties. ConsentAction.Permissions is bracket-delimited,   ```
``` not JSON; regex over Scope: extracts every requested permission.      ```
| spath path=ModifiedProperties{}.Name     output=mp_names
| spath path=ModifiedProperties{}.NewValue output=mp_values
| eval admin_idx = mvfind(mp_names, "(?i)ConsentContext\.IsAdminConsent")
| eval is_admin  = if(lower(mvindex(mp_values, admin_idx)) == "true", "yes", "no")
| eval scope_idx = mvfind(mp_names, "(?i)ConsentAction\.Permissions")
| eval permissions_raw = mvindex(mp_values, scope_idx)
| rex field=permissions_raw max_match=20 "Scope:\s*(?&lt;_scope&gt;[^,\]]+)"
| eval consented_scopes = mvjoin(mvdedup(_scope), ", ")

``` ExtendedProperties.additionalDetails is a JSON-encoded string;        ```
``` spath input=Value drills in for User-Agent + redundant AppId.         ```
| spath path=ExtendedProperties{}.Name  output=ep_names
| spath path=ExtendedProperties{}.Value output=ep_values
| eval ad_idx = mvfind(ep_names, "(?i)additionalDetails")
| eval ad_raw = mvindex(ep_values, ad_idx)
| spath input=ad_raw path="User-Agent" output=user_agent
| spath input=ad_raw path="AppId"      output=ad_appid
| eval appid = lower(coalesce(appid, ad_appid))

| `oauthsentry_malicious_lookup`
| where oas_category = "malicious"

| stats count
        earliest(_time) as first_seen
        latest(_time)   as last_seen
        values(UserId)            as users
        values(ClientIP)          as src_ips
        values(user_agent)        as user_agents
        values(Operation)         as operations
        values(consented_scopes)  as scopes
    by appid, oas_severity, is_admin, oas_comment

| convert ctime(first_seen) ctime(last_seen)
| rename oas_severity as severity, oas_comment as oauthsentry_comment</pre>
            </div>

            <h3><span class="num">2</span> Service principal sign-in from a known-malicious or risky app</h3>
            <p>The app already has tokens and is using them. Fires every time the app authenticates as itself, regardless of which user originally consented. For risky-bucket apps, the search adds an IP-count threshold so legitimate first-party traffic does not page on-call.</p>
            <div class="code-block">
              <div class="code-header">SPL<button class="copy-snippet" type="button">copy</button></div>
              <pre>`oauthsentry_aad_sp_signin`
| eval appid = lower(appId)
| `oauthsentry_malicious_lookup`
| where oas_category IN ("malicious", "risky")

| stats count
        earliest(_time) as first_seen
        latest(_time)   as last_seen
        values(ipAddress)            as src_ips
        dc(ipAddress)                as ip_count
        values(resourceDisplayName)  as resources
        values(servicePrincipalName) as sp_names
    by appid, oas_category, oas_severity

``` Risky apps may legitimately authenticate; require >1 IP to alert. ```
``` Malicious apps page regardless. ```
| where oas_category = "malicious" OR ip_count &gt; 1
| convert ctime(first_seen) ctime(last_seen)
| sort - last_seen</pre>
            </div>

            <h3><span class="num">3</span> Newly observed OAuth app with high-risk scopes</h3>
            <p>Catches the next malicious app before OAuthSentry has tracked it. Heuristic: a consent event with mail/files/directory scopes for an AppId that has never been seen authenticating in your tenant in the prior 90 days. The historical baseline lives in the SP sign-in log, so this search needs both <code>oauthsentry_o365_audit</code> and <code>oauthsentry_aad_sp_signin</code> to be wired up.</p>
            <div class="code-block">
              <div class="code-header">SPL<button class="copy-snippet" type="button">copy</button></div>
              <pre>`oauthsentry_o365_audit` earliest=-7d
| eval Operation = replace(Operation, "\.$", "")
| where Operation = "Consent to application"

``` Extract AppId and the requested scopes ```
| spath path=ModifiedProperties{}.Name     output=mp_names
| spath path=ModifiedProperties{}.NewValue output=mp_values
| eval appid = lower(ObjectId)  ``` ObjectId is the AppId on consent events; M365 unified shape has no TargetId.ServicePrincipalNames ```
| eval scope_idx = mvfind(mp_names, "(?i)ConsentAction\.Permissions")
| eval scope     = lower(mvindex(mp_values, scope_idx))

``` Filter on high-risk scopes only ```
| where match(scope, "(?i)mail\.read|mail\.readwrite|mail\.send|files\.(read|readwrite)\.all|sites\.read\.all|directory\.read\.all|offline_access")

| stats earliest(_time) as first_seen
        values(UserId) as users
        values(scope)  as scopes
        count
    by appid

``` Anti-join against the prior 90 days of SP sign-ins. ```
``` If the AppId has signed in before, drop it; we only want first-time appearances. ```
| join type=left appid [
    search `oauthsentry_aad_sp_signin` earliest=-97d latest=-7d
    | eval appid = lower(appId)
    | stats earliest(_time) as historical_first by appid
  ]
| where isnull(historical_first)

| `oauthsentry_malicious_lookup`
| convert ctime(first_seen)
| sort - first_seen</pre>
            </div>

            <h3><span class="num">4</span> Admin consent for an app not on your verified-publisher allowlist</h3>
            <p>Admin consent is an enormous power transfer; combined with an unverified publisher it's one of the strongest single OAuth signals you can write. The cleanest production form uses your <code>oauthsentry_compliance</code> lookup as the allowlist - if an app gets admin consent and isn't in the compliance feed, it's worth a human eyeball.</p>
            <div class="code-block">
              <div class="code-header">SPL<button class="copy-snippet" type="button">copy</button></div>
              <pre>`oauthsentry_o365_audit`
| eval Operation = replace(Operation, "\.$", "")
| where Operation = "Consent to application"

| spath path=ModifiedProperties{}.Name     output=mp_names
| spath path=ModifiedProperties{}.NewValue output=mp_values

``` Restrict to admin-consent events ```
| eval admin_idx = mvfind(mp_names, "(?i)ConsentContext\.IsAdminConsent")
| eval is_admin  = lower(mvindex(mp_values, admin_idx))
| where is_admin = "true"

``` Pull the AppId ```
| eval appid = lower(ObjectId)  ``` ObjectId is the AppId on consent events; M365 unified shape has no TargetId.ServicePrincipalNames ```

``` Drop apps that are in our compliance allowlist ```
| `oauthsentry_compliance_lookup`
| where isnull(oas_compliance_category)

| eval scope_idx = mvfind(mp_names, "(?i)ConsentAction\.Permissions")
| eval scope     = lower(mvindex(mp_values, scope_idx))

| stats earliest(_time) as event_time
        values(UserId)   as approving_admin
        values(ClientIP) as src_ips
        values(scope)    as scopes
    by appid
| convert ctime(event_time)
| sort - event_time</pre>
            </div>

            <h3><span class="num">5</span> Service principal refresh-token grants from multiple countries in a short window</h3>
            <p>Refresh-token grants are non-interactive and ordinarily come from one place - automation has stable infrastructure. An SP redeeming refresh tokens from two or more countries inside an hour is the AiTM / token-replay signature, and is also what TeamFiltration looks like as it rotates AWS regions.</p>
            <div class="code-block">
              <div class="code-header">SPL<button class="copy-snippet" type="button">copy</button></div>
              <pre>`oauthsentry_aad_sp_signin` incomingTokenType="refreshToken" earliest=-1h
| iplocation ipAddress
| eval appid = lower(appId)

| stats dc(Country)             as country_count
        values(Country)         as countries
        values(ipAddress)       as src_ips
        values(servicePrincipalName) as sp_names
        count
    by appid
| where country_count &gt; 1

| `oauthsentry_malicious_lookup`
| `oauthsentry_risky_lookup`
| sort - count</pre>
            </div>

            <h3><span class="num">6</span> Mailbox accessed by an OAuth app that is not on your allowlist</h3>
            <p>Last line of defence. Fires when an OAuth app reads mail and the app id is not in your <code>oauthsentry_compliance</code> allowlist. <code>MailItemsAccessed</code> stores access type and throttle status inside <code>OperationProperties</code>, an array of <code>{Name, Value}</code> objects, so we extract those by name rather than relying on auto-flattening.</p>
            <div class="code-block">
              <div class="code-header">SPL<button class="copy-snippet" type="button">copy</button></div>
              <pre>`oauthsentry_o365_audit` Operation=MailItemsAccessed
| eval appid = lower(coalesce('AppAccessContext.ClientAppId', ClientAppId, AppId))

``` MailAccessType and IsThrottled live in OperationProperties[] as Name/Value pairs ```
| spath path=OperationProperties{}.Name  output=op_names
| spath path=OperationProperties{}.Value output=op_values
| eval mat_idx     = mvfind(op_names, "^MailAccessType$")
| eval access_type = mvindex(op_values, mat_idx)
| eval thr_idx     = mvfind(op_names, "^IsThrottled$")
| eval is_throttled= mvindex(op_values, thr_idx)

| `oauthsentry_compliance_lookup`
| where isnull(oas_compliance_category)
| `oauthsentry_malicious_lookup`

| stats count
        earliest(_time) as first_seen
        latest(_time)   as last_seen
        values(UserId)            as mailbox_owners
        values(ClientInfoString)  as client_strings
        values(ClientIPAddress)   as src_ips
        values(access_type)       as access_types
        values(is_throttled)      as throttled_flags
        values('AppAccessContext.AADSessionId') as session_ids
        dc('AppAccessContext.AADSessionId')     as session_count
    by appid, oas_category, oas_severity
| where count &gt; 5
| convert ctime(first_seen) ctime(last_seen)
| sort - count</pre>
            </div>

            <h3><span class="num">7</span> Pivot from a suspicious sign-in to every audited action in the same session</h3>
            <p>The investigator's bread-and-butter search. Once you have a SessionId from an Entra sign-in record, this returns every audited action authorised by that token chain - reads, sends, rule changes, deletes. <code>AppAccessContext.AADSessionId</code> is set on OAuth-token-driven Exchange events; bare <code>SessionId</code> is the fallback for Exchange events that predate the AppAccessContext schema. Save this as an investigator search and pass the session id in via a token like <code>$session_id$</code>.</p>
            <div class="code-block">
              <div class="code-header">SPL<button class="copy-snippet" type="button">copy</button></div>
              <pre>`oauthsentry_o365_audit`
| eval session = coalesce('AppAccessContext.AADSessionId', SessionId)
| where session = "$session_id$"

| eval appid    = lower(coalesce('AppAccessContext.ClientAppId', ClientAppId, AppId))
| eval src_ip   = coalesce(ClientIPAddress, ClientIP)
| spath path=Item.Subject output=item_subject

| table _time UserId Operation appid src_ip item_subject ResultStatus
| sort _time</pre>
            </div>

            <h3><span class="num">8</span> Device registered immediately after a new consent</h3>
            <p>Catches the UTA0355 / Storm-2372 chained pattern: consent followed by device-registration for the same user within minutes. We aggregate consent and device events per user with conditional aggregation so the timing comparison is direct - no fragile <code>mvfind</code> / <code>mvcount</code> dance.</p>
            <div class="code-block">
              <div class="code-header">SPL<button class="copy-snippet" type="button">copy</button></div>
              <pre>`oauthsentry_o365_audit`
| eval Operation = replace(Operation, "\.$", "")
| where Operation IN (
    "Consent to application", "Add OAuth2PermissionGrant",
    "Add device", "Add registered owner to device", "Register device"
  )
| eval bucket = case(
    Operation IN ("Consent to application","Add OAuth2PermissionGrant"),                "consent",
    Operation IN ("Add device","Add registered owner to device","Register device"),     "device"
  )

``` Conditional aggregation: pull each user's earliest consent-time and device-time. ```
``` min(eval(...)) is the canonical pattern; min returns numeric, ignoring null branches. ```
| stats min(eval(if(bucket = "consent", _time, null()))) as t_consent
        min(eval(if(bucket = "device",  _time, null()))) as t_device
        values(Operation) as ops
        values(ClientIP)  as src_ips
    by UserId

| where isnotnull(t_consent) AND isnotnull(t_device) AND t_device &gt; t_consent
| eval window_minutes = round((t_device - t_consent)/60, 1)
| where window_minutes &lt; 60

| convert ctime(t_consent) ctime(t_device)
| table UserId t_consent t_device window_minutes ops src_ips
| sort window_minutes</pre>
            </div>

            <h3><span class="num">9</span> Credential or certificate added to an OAuth service principal</h3>
            <p>Midnight Blizzard's signature post-consent move was to add their own client secret to an existing service principal so they could authenticate as the app from anywhere, even after user-token revocation. Any credential-add on an SP, especially one that recently appeared in your malicious or risky feed, is alert-worthy. The credential change shows up as a modification of <code>KeyDescription</code>, <code>PasswordCredentials</code>, or <code>KeyCredentials</code> inside <code>ModifiedProperties</code>.</p>
            <div class="code-block">
              <div class="code-header">SPL<button class="copy-snippet" type="button">copy</button></div>
              <pre>`oauthsentry_o365_audit`
| eval Operation = replace(Operation, "\.$", "")
| where Operation IN (
    "Add service principal credentials",
    "Update application - Certificates and secrets management",
    "Update service principal"
  )

| spath path=ModifiedProperties{}.Name     output=mp_names
| spath path=ModifiedProperties{}.NewValue output=mp_values

``` Filter to events that actually mutate credential properties. ```
``` mvfind returns null (NOT -1) when no value matches; isnotnull() is the right check. ```
| where isnotnull(mvfind(mp_names, "(?i)KeyDescription|PasswordCredentials|KeyCredentials"))

| eval appid = lower(ObjectId)  ``` ObjectId is the AppId on consent events; M365 unified shape has no TargetId.ServicePrincipalNames ```

| `oauthsentry_malicious_lookup`
| `oauthsentry_risky_lookup`
| eval flag = case(
    isnotnull(oas_category),       "malicious",
    isnotnull(oas_risky_category), "risky",
    1==1,                          "unknown"
  )

| stats earliest(_time) as first_seen
        latest(_time)   as last_seen
        values(UserId)    as initiator
        values(ClientIP)  as src_ips
        values(Operation) as ops
    by appid, flag
| convert ctime(first_seen) ctime(last_seen)
| sort - last_seen</pre>
            </div>

            <h3><span class="num">10</span> FOCI-app token used to enumerate the directory via Graph</h3>
            <p>The post-token-theft recon signature. Microsoft Office, Azure CLI, Teams and the rest of the FOCI family don't normally call <code>/users</code>, <code>/groups</code>, <code>/directoryRoles</code>, <code>/applications</code> or <code>/servicePrincipals</code> - those endpoints are admin tools, not Office tools. A delegated Graph call from a FOCI app id to one of those resources is the textbook TeamFiltration / UTA0352 / UNK_SneakyStrike pattern: attacker steals a family refresh token, redeems it for an Office (or other FOCI) access token, then uses that token's broad pre-consented permissions to enumerate the directory. <strong>Fires regardless of <code>responseStatusCode</code></strong> because the attempt is the IOC; attackers retry with corrected pagination headers on the next attempt.</p>

            <p>This detection requires the Microsoft Graph activity log stream to be enabled (Entra admin center &rarr; Monitoring &amp; health &rarr; Diagnostic settings &rarr; <code>MicrosoftGraphActivityLogs</code>) and the <code>oauthsentry_graph_activity</code> macro defined at the top of this tab. See the anonymized reference event in <a href="#/investigation/forensics" data-route="/investigation/forensics">Forensic traces section 5</a> for the field layout.</p>

            <div class="code-block">
              <div class="code-header">SPL<button class="copy-snippet" type="button">copy</button></div>
              <pre>`oauthsentry_graph_activity`

``` Field paths in mscs:azure:eventhub place every Graph attribute under          ```
``` properties.*. Older add-ons or custom flatteners may also alias these to      ```
``` top-level fields - keep the coalesce() if your tenant straddles add-ons.      ```
| eval req_uri    = 'properties.requestUri'
| eval req_method = 'properties.requestMethod'
| eval req_appid  = 'properties.appId'
| eval req_spid   = 'properties.servicePrincipalId'                  ``` populated on app-only flows ```
| eval req_userid = coalesce('properties.userId', 'properties.UserPrincipalObjectID')
| eval req_wids   = 'properties.wids'
| eval req_scopes = 'properties.scopes'
| eval req_ua     = 'properties.userAgent'
| eval req_ip     = coalesce('properties.ipAddress', callerIpAddress)
| eval req_uti    = 'properties.signInActivityId'
| eval req_status = 'properties.responseStatusCode'

``` Filter 1: token came from a FOCI app id (Secureworks canonical list + variants). ```
| where lower(req_appid) IN (
    "04b07795-8ddb-461a-bbee-02f9e1bf7b46",   ``` Microsoft Azure CLI ```
    "1950a258-227b-4e31-a9cf-717495945fc2",   ``` Microsoft Azure PowerShell ```
    "1fec8e78-bce4-4aaf-ab1b-5451cc387264",   ``` Microsoft Teams ```
    "d3590ed6-52b3-4102-aeff-aad2292ab01c",   ``` Microsoft Office ```
    "ab9b8c07-8f02-4f72-87fa-80105867a763",   ``` OneDrive SyncEngine ```
    "27922004-5251-4030-b22d-91ecd9a37ea4",   ``` Outlook Mobile ```
    "4813382a-8fa7-425e-ab75-3b753aab3abb",   ``` Microsoft Authenticator App ```
    "872cd9fa-d31f-45e0-9eab-6e460a02d1f1",   ``` Visual Studio ```
    "00b41c95-dab0-4487-9791-b9d2c32c80f2",   ``` Office 365 Management ```
    "af124e86-4e96-495a-b70a-90f90ab96707",   ``` OneDrive iOS App ```
    "26a7ee05-5602-4d76-a7ba-eae8b7b67941"    ``` Windows Search ```
  )

``` Filter 2: directory-enumeration / app-inventory endpoints. ```
``` Boundary characters anchor on the resource name to avoid /me/users-like false matches. ```
| where match(req_uri, "(?i)/v1\.0/(users|groups|directoryRoles|servicePrincipals|applications|devices)(\?|/|$)")

``` Enrichment: pull $top= so bulk-pull intent surfaces at triage time. ```
| rex field=req_uri "(?i)\$top=(?&lt;top_value&gt;\d+)"
| eval top_value = if(isnotnull(top_value), tonumber(top_value), 0)

``` Enrichment: flag non-admin actors. b79fbf4d-... is the default-user wid and ```
``` appears on every non-guest account. Presence of any other GUID in wids = user ```
``` holds at least one Entra role. Non-admins enumerating the directory at scale ```
``` is the high-fidelity slice of this detection.                              ```
| eval wids_clean = lower(replace(req_wids, "[\"\s\[\]]", ""))
| eval is_default_user_only = if(
    match(wids_clean, "^b79fbf4d-3ef9-4689-8143-76b194e85509$"),
    "yes-non-admin", "no-has-role")

``` Enrichment: count scopes; > 20 on a delegated FOCI token is anomalous. ```
| eval scope_count = if(isnotnull(req_scopes), 
                         mvcount(split(req_scopes, " ")), 0)

| stats count
        earliest(_time) as first_seen
        latest(_time)   as last_seen
        values(req_uri)              as endpoints
        values(req_appid)            as appids
        values(req_method)           as methods
        values(req_ip)               as src_ips
        values(req_ua)               as user_agents
        values(req_uti)              as token_utis
        values(req_status)           as status_codes
        max(top_value)               as max_top_requested
        max(scope_count)             as max_scopes_in_token
        values(is_default_user_only) as actor_role
    by req_userid
| convert ctime(first_seen) ctime(last_seen)
| sort - count</pre>
            </div>

            <p>Tuning recommendations specific to this detection:</p>
            <ul>
              <li><strong>Page on-call</strong> when <code>actor_role = "yes-non-admin"</code> AND <code>max_top_requested &gt;= 50</code>. Non-admin + bulk pull is the cleanest possible signature.</li>
              <li><strong>Daily hunting review</strong> for everything else - the detection will catch some legitimate edge cases (e.g. an admin debugging a Graph integration via Azure CLI) where context determines verdict.</li>
              <li><strong>Suppress</strong> via a per-tenant lookup of trusted automation accounts that have a documented business reason to do directory enumeration via FOCI clients (rare but not zero).</li>
              <li><strong>Apply the <a href="#enrichment-pattern" data-route="/investigation/detections">reusable enrichment pattern</a></strong> at the end of the search to translate <code>req_userid</code> into a routable email/display-name + role, and the bare <code>appids</code> GUIDs into human-readable app names. Detection 10 already filters to FOCI apps so the risk-tier escalation is redundant for this one - apply only step 1 of the pattern (user-directory lookup) for the cleanest result.</li>
            </ul>

            <h3><span class="num">11</span> Cumulative directory-pull volume from one token over time</h3>
            <p>Detection 10 fires on the <em>shape</em> of a single request (FOCI app + directory endpoint). This detection fires on the <em>cumulative volume</em> of records one token tried to retrieve, regardless of whether each individual request succeeded. It catches three patterns Detection 10 misses:</p>
            <ul>
              <li><strong>Iterative probing</strong> - attacker tries <code>$top=2000</code> (400), retries with <code>$top=999</code> + <code>ConsistencyLevel: eventual</code> (200), then paginates. Detection 10 fires once on the first request; Detection 11 sees the full ~10k records they actually walked.</li>
              <li><strong>Slow-and-low</strong> - attacker pulls 100 records every 5 minutes for 8 hours (~9,600 records, distributed). No single request looks alarming; the cumulative shape is the IOC.</li>
              <li><strong>Pagination without <code>$top</code></strong> - omitting <code>$top</code> falls back to a per-resource default page size (Microsoft documents <code>/users</code> at 100, but <code>/me/messages</code> at 10, and other resources vary; <a href="https://learn.microsoft.com/en-us/graph/paging">Graph paging docs</a> for per-resource specifics). Attackers can simply walk <code>@odata.nextLink</code> indefinitely. Detection 10's <code>max_top_requested</code> stays at 0; Detection 11 counts each request as 100 by default for the directory endpoints in scope (which is the <code>/users</code> default).</li>
            </ul>

            <p>The arithmetic: for each Graph request to a directory endpoint, attribute "records attempted" - if <code>$top</code> is present, that's the value; otherwise default to 100 (Graph's implicit page size). 200/206 responses contribute the full <code>$top</code>; 400/429 also contribute the full <code>$top</code> because the <em>intent</em> was that volume even if the server rejected it.</p>

            <div class="code-block">
              <div class="code-header">SPL<button class="copy-snippet" type="button">copy</button></div>
              <pre>`oauthsentry_graph_activity` earliest=-1h

| eval req_uri    = 'properties.requestUri'
| eval req_method = 'properties.requestMethod'
| eval req_appid  = 'properties.appId'
| eval req_spid   = 'properties.servicePrincipalId'
| eval req_userid = coalesce('properties.userId', 'properties.UserPrincipalObjectID', req_spid)
| eval req_uti    = 'properties.signInActivityId'
| eval req_ip     = coalesce('properties.ipAddress', callerIpAddress)
| eval req_status = 'properties.responseStatusCode'
| eval req_size   = 'properties.responseSizeBytes'

``` Restrict to directory-enumeration endpoints. /me/* is intentionally NOT included ```
``` here - reading your own mail/drive/contacts is high-volume but not directory     ```
``` enumeration, and a single $top alone misrepresents data volume (responses vary   ```
``` wildly in size). Detection 12 below covers /me/* data-volume reads with a        ```
``` byte-based threshold instead. Run both - they catch different attacker actions.  ```
| where match(req_uri, "(?i)/v1\.0/(users|groups|directoryRoles|servicePrincipals|applications|devices)(\?|/|$)")
| where req_method = "GET"

``` Pull $top= if present; default to 100 (Graph's implicit page size when ```
``` $top is omitted) so pagination-only walks still count toward the total.   ```
| rex field=req_uri "(?i)\$top=(?&lt;top_raw&gt;\d+)"
| eval records_attempted = coalesce(tonumber(top_raw), 100)

``` Aggregate per-token. The token UTI (signInActivityId) is the right key - ```
``` it pinpoints one specific access token, so two tokens for the same user  ```
``` from two different sessions are scored independently. For app-only flows ```
``` userId is null - we fall through to servicePrincipalId via coalesce above. ```
| stats sum(records_attempted)         as total_records_attempted
        sum(req_size)                   as total_response_bytes
        count                           as request_count
        dc(req_uri)                     as distinct_endpoints
        values(req_uri)                 as endpoints
        values(req_appid)               as appids
        values(req_ip)                  as src_ips
        values(req_status)              as status_codes
        max(coalesce(tonumber(top_raw),0)) as max_top
        earliest(_time)                 as first_seen
        latest(_time)                   as last_seen
    by req_userid, req_uti

``` Three-tier severity:                                                       ```
```   critical: >= 10000 records attempted in 1h   (clear bulk enum intent)    ```
```   high:    >=  1000 records attempted in 1h   (worth daily review)        ```
```   info:    >=   250 (drops out of this query, picked up by 24h variant)   ```
| eval severity = case(
    total_records_attempted &gt;= 10000, "critical",
    total_records_attempted &gt;=  1000, "high",
    1==1, null
  )
| where isnotnull(severity)

| convert ctime(first_seen) ctime(last_seen)
| sort - total_records_attempted</pre>
            </div>

            <p>Slow-and-low variant for the 24-hour window with a lower per-token threshold:</p>
            <div class="code-block">
              <div class="code-header">SPL - 24h slow-and-low variant<button class="copy-snippet" type="button">copy</button></div>
              <pre>`oauthsentry_graph_activity` earliest=-24h

| eval req_uri    = 'properties.requestUri'
| eval req_method = 'properties.requestMethod'
| eval req_appid  = 'properties.appId'
| eval req_spid   = 'properties.servicePrincipalId'
| eval req_userid = coalesce('properties.userId', 'properties.UserPrincipalObjectID', req_spid)
| eval req_uti    = 'properties.signInActivityId'

| where match(req_uri, "(?i)/v1\.0/(users|groups|directoryRoles|servicePrincipals|applications|devices)(\?|/|$)")
| where req_method = "GET"

| rex field=req_uri "(?i)\$top=(?&lt;top_raw&gt;\d+)"
| eval records_attempted = coalesce(tonumber(top_raw), 100)

``` Bucket into 1h windows so we can see the rate, not just the daily total ```
| bin _time span=1h
| stats sum(records_attempted) as records_per_hour count as requests_per_hour by _time, req_userid, req_uti, req_appid

``` Aggregate the 24 hourly buckets per token ```
| stats sum(records_per_hour)   as total_records_24h
        sum(requests_per_hour)  as total_requests_24h
        max(records_per_hour)   as peak_hour
        dc(_time)               as active_hours
        values(req_appid)       as appids
        earliest(_time)         as first_bucket
        latest(_time)           as last_bucket
    by req_userid, req_uti

``` Threshold tuned for distributed enumeration: 250+ records sustained over   ```
``` 4+ active hours, OR 5000+ total records regardless of distribution.        ```
| where (total_records_24h &gt;= 250 AND active_hours &gt;= 4)
     OR (total_records_24h &gt;= 5000)

| convert ctime(first_bucket) ctime(last_bucket)
| sort - total_records_24h</pre>
            </div>

            <p>Tuning recommendations specific to this detection:</p>
            <ul>
              <li><strong>Critical threshold (10k records / 1h)</strong> is the alert tier. Pages on-call. Almost no legitimate workflow pulls 10,000 directory records from a delegated user token in one hour - this is automation territory and automation should be using app-only tokens with documented service principals (which would be filtered out by the user-token restriction implicit in this query).</li>
              <li><strong>High threshold (1k records / 1h)</strong> is daily review. Catches admins doing genuine work via Azure CLI / Graph Explorer / a custom script - those will appear here legitimately. Tune by adding a per-tenant allowlist of admin object IDs that are expected to read the directory at this rate.</li>
              <li><strong>Slow-and-low (250 over 4 hours, or 5k over 24h)</strong> is daily review. The 4-hour active-hour requirement filters out legitimate one-off bulk pulls (which complete in minutes); a token that reads 250+ records every hour for 4+ hours is automated and not interactive.</li>
              <li><strong>The pagination-without-<code>$top</code> case</strong> is the most subtle. Default page size assumption (100) may overcount if your tenant routinely uses smaller pages, or undercount on <code>/users/$select=...</code> queries where the actual returned size depends on the response shape. Validate by sampling <code>responseSizeBytes</code> in your tenant: if average response size on no-<code>$top</code> requests is ≪ 100 records, lower the default.</li>
              <li><strong>Anti-correlate with Detection 10</strong>. A token that fires both Detection 10 (FOCI app + directory endpoint) and Detection 11 (cumulative volume) is high-confidence. Detection 11 alone, from a non-FOCI app id, is genuine admin work or third-party integration - lower confidence by itself.</li>
              <li><strong>Status-code distribution as a tell</strong>. Add <code>list(req_status) as status_seq</code> to either query and look for the <code>400 → 200, 200, 200, ...</code> pattern (failed probe followed by successful pagination). That sequence is the smoking gun for iterative probing and is essentially never seen in legitimate use.</li>
              <li><strong>Apply the <a href="#enrichment-pattern" data-route="/investigation/detections">reusable enrichment pattern</a></strong> at the end of the search. Detection 11 doesn't filter on app classification, so the full risk-tier escalation applies: a token issued to a known-malicious app pulling 1,000 directory records (the high tier) automatically escalates to critical.</li>
            </ul>

            <h3><span class="num">12</span> Cumulative <code>/me/*</code> data-volume reads from one token</h3>
            <p>The companion to Detection 11. Detection 11 catches <em>directory enumeration</em> (listing principals); Detection 12 catches <em>data exfiltration from the acting user's own mailbox/drive/contacts</em> - the cheapest read path for an attacker holding a stolen delegated token, since <code>/me/*</code> doesn't require any extra permissions beyond what the user already has. The pattern: token holder rapidly walks <code>/me/messages</code>, <code>/me/drive/root/children</code>, <code>/me/contacts</code> with high page sizes (or pagination), pulling everything they have access to.</p>
            <p>Why this needs its own detection rather than being merged into 11:</p>
            <ul>
              <li><strong>The metric is response bytes, not records.</strong> One <code>/me/messages?$top=50</code> request returns ~50 message stubs (~50 KB); one <code>/me/messages/{id}/$value</code> request returns one full email with attachments (could be many MB). Counting "records attempted" via <code>$top</code> dramatically undercounts exfil volume on the latter - a 1 MB email with attachments is the data, not the row count.</li>
              <li><strong>The default page size differs.</strong> <code>/me/messages</code> defaults to 10 records per page (per Microsoft's <a href="https://github.com/microsoftgraph/python-sample-pagination">python-sample-pagination</a> docs), not 100 like <code>/users</code>. A pagination-only walk of a 5,000-message inbox is 500 requests with no <code>$top</code>, easy to miss with a record-count threshold.</li>
              <li><strong>Mailbox-content reads via <code>/$value</code></strong> retrieve raw MIME including attachments - the highest-data-density read path in Graph. <code>responseSizeBytes</code> on these requests directly measures exfil volume.</li>
            </ul>

            <div class="code-block">
              <div class="code-header">SPL - cumulative /me/* read volume per token, 1h window<button class="copy-snippet" type="button">copy</button></div>
              <pre>`oauthsentry_graph_activity` earliest=-1h

| eval req_uri    = 'properties.requestUri'
| eval req_method = 'properties.requestMethod'
| eval req_appid  = 'properties.appId'
| eval req_userid = coalesce('properties.userId', 'properties.UserPrincipalObjectID')
| eval req_uti    = 'properties.signInActivityId'
| eval req_idtyp  = 'properties.C_Idtyp'
| eval req_ip     = coalesce('properties.ipAddress', callerIpAddress)
| eval req_status = 'properties.responseStatusCode'
| eval req_size   = 'properties.responseSizeBytes'

``` Delegated tokens only - app-only tokens don't have a /me context. ```
| where req_idtyp = "user"
| where req_method = "GET"

``` Restrict to /me/* and the most exfil-heavy variants. ```
| where match(req_uri, "(?i)/v1\.0/me/(messages|mailFolders|drive/root|drive/items|contacts|chats|joinedTeams|onenote)(\?|/|$)")

``` Distinguish full-content reads (high data density) from index reads. ```
| eval is_full_content = if(match(req_uri, "(?i)/\$value(\?|$)"), 1, 0)

``` Bucket into 1h windows so a single token doing sustained reads across      ```
``` multiple hours produces one row per hour rather than one giant row that    ```
``` wrongly aggregates many hours of activity into the highest-tier severity.  ```
| bin _time as time span=1h
| stats sum(req_size)              as total_response_bytes
        count                       as request_count
        sum(is_full_content)        as full_content_reads
        dc(req_uri)                 as distinct_endpoints
        values(req_appid)           as appids
        values(req_ip)              as src_ips
        values(req_status)          as status_codes
        earliest(_time)             as first_seen
        latest(_time)               as last_seen
    by req_userid, req_uti, time
| fields - time

``` Three-tier severity, BYTES not records:                                    ```
```   critical: >= 100 MB pulled in 1h via /me/* from one token              ```
```   high:    >=  10 MB pulled in 1h via /me/* from one token              ```
```   info:    >=   1 MB AND >= 50 requests (catches slow walks; daily review) ```
| eval mb_pulled = round(total_response_bytes / 1048576, 2)
| eval severity = case(
    mb_pulled &gt;= 100,                          "critical",
    mb_pulled &gt;=  10,                          "high",
    mb_pulled &gt;=   1 AND request_count &gt;= 50,  "info",
    1==1, null
  )
| where isnotnull(severity)
| convert ctime(first_seen) ctime(last_seen)
| sort - mb_pulled</pre>
            </div>

            <p>Tuning recommendations specific to this detection:</p>
            <ul>
              <li><strong>Critical threshold (100 MB / 1h)</strong>: pages on-call. A user reading 100 MB of their own mailbox content in an hour via Graph API (not the Outlook client) is almost always automation; if the automation isn't documented, it's an exfil candidate. Mailboxes with very large signature blocks or routine high-volume PST migrations are the legitimate edge cases - allowlist them by SP/user.</li>
              <li><strong>High threshold (10 MB / 1h)</strong>: daily review. Catches eDiscovery sweeps, archiving tools running on user-delegated tokens, and any custom tooling that bulk-reads mailbox content. Most defender tenants will have a small set of expected (UTI, source-IP) combinations here within a week of running the detection - allowlist them.</li>
              <li><strong>Info threshold (1 MB across &ge; 50 requests)</strong>: catches the slow-and-low pattern. 50 sequential requests in an hour is consistent with paginated walks of a mailbox; combined with even modest byte volume this is automated reading.</li>
              <li><strong><code>full_content_reads</code> as a force-multiplier</strong>: any request matching <code>/$value</code> is reading raw MIME including attachments. A token that does &gt; 5 <code>/$value</code> reads in an hour is exfiltrating mailbox content even if the byte total stays under the threshold.</li>
              <li><strong>Anti-correlate with Detection 11</strong>: a delegated token that fires both Detection 11 (directory enumeration) and Detection 12 (own-mailbox bulk read) within the same hour is the textbook stolen-token IR signature: attacker enumerates the tenant to find high-value targets, then reads their own mailbox to map internal communication while they're at it. Pages on-call regardless of individual severity tier.</li>
              <li><strong>Apply the <a href="#enrichment-pattern" data-route="/investigation/detections">reusable enrichment pattern</a></strong> at the end of the search. Detection 12 doesn't filter on app classification, so the full risk-tier escalation applies: a token issued to a malicious-bucket app pulling 10 MB (the high tier) automatically escalates to critical, and the alert renders with the user's email, role and a routable app name instead of bare GUIDs.</li>
            </ul>

            <h3><span class="num">13</span> Maintain a tenant directory lookup for username enrichment</h3>
            <p>This isn't a detection by itself - it's the supporting infrastructure that turns every other detection's <code>userId</code> column from a useless GUID into a name a SOC analyst can act on. Every Graph activity log, sign-in event and Reports API record references principals by object id (<code>properties.userId</code>, <code>properties.servicePrincipalId</code>); without enrichment, your alerts read "user <code>6b579021-2931-4f1b-b523-d4ac40e50ed9</code> exfiltrated 47 MB" - true but not directly actionable. With a maintained directory lookup, the same alert reads "user alice.example@yourdomain.com (Senior Finance Analyst) exfiltrated 47 MB", which routes itself.</p>

            <p>The lookup is a CSV (or KV-store collection) keyed on object id, refreshed on a schedule. Four options ranked by reliability - which one to pick depends on what you have available:</p>

            <h4>Option A - Splunk Microsoft 365 add-on metadata (cleanest, recommended)</h4>
            <p>If you run the <a href="https://splunkbase.splunk.com/app/3786">Splunk Add-on for Microsoft Office 365</a>, it already periodically pulls the tenant directory and lands it as <code>sourcetype=o365:metadata</code>. This is the cleanest source: authoritative (it comes from M365 itself, not inferred from sign-in events), already paginated and authenticated for you, includes job titles, and covers dormant users that other approaches miss. Two patterns - pick one based on whether you want a snapshot or an accumulating history:</p>

            <p><strong>A.1 - Last-snapshot wins (simplest, what most teams want):</strong></p>
            <div class="code-block">
              <div class="code-header">SPL - rebuild the directory from the latest M365 metadata snapshot<button class="copy-snippet" type="button">copy</button></div>
              <pre>index=o365 sourcetype="o365:metadata"
| stats count by id, userPrincipalName, user, jobTitle
| fields - count
| rename id              as user_id,
         userPrincipalName as user_email,
         user            as user_display_name,
         jobTitle        as user_jobtitle
| outputlookup oauthsentry_user_directory.csv</pre>
            </div>

            <p><strong>A.2 - Accumulating history (preserves users who later disappear from the snapshot):</strong></p>
            <p>The simple form above wipes the lookup on every run, so a user who has been deactivated or whose record falls out of the metadata feed disappears from the lookup too - which is bad for IR (you can no longer resolve historical alerts about that user). The history-preserving form keeps every user object id ever seen, refreshes the metadata for ones still in the current snapshot, and tracks <code>first_seen</code> / <code>last_seen</code> so investigators can tell active accounts from dormant ones at a glance:</p>
            <div class="code-block">
              <div class="code-header">SPL - append-only directory build with first_seen / last_seen tracking<button class="copy-snippet" type="button">copy</button></div>
              <pre>``` Step 1: today's snapshot from the M365 add-on metadata stream. ```
``` strftime emits ISO-ish timestamps that read cleanly in alert email bodies. ```
index=o365 sourcetype="o365:metadata"
| stats count by id, userPrincipalName, user, jobTitle
| fields - count
| rename id              as user_id,
         userPrincipalName as user_email,
         user            as user_display_name,
         jobTitle        as user_jobtitle
| eval first_seen = strftime(now(), "%Y-%m-%dT%H:%M:%SZ")
| eval last_seen  = first_seen
| eval status     = "active"

``` Step 2: append the prior version of the lookup so existing rows survive. ```
``` inputlookup with append=true returns no error if the file does not exist     ```
``` yet (first run); subsequent runs include every row from yesterday onward.   ```
| append [
    | inputlookup append=true oauthsentry_user_directory.csv
  ]

``` Step 3: collapse to one row per user_id. ```
``` - first_seen = oldest first_seen value (preserved from prior runs)         ```
``` - last_seen  = today, ONLY if the user_id appeared in today's snapshot     ```
``` - all other fields = newest non-null value (refresh metadata for active   ```
```   users; preserve old metadata for users no longer in the snapshot)       ```
| stats min(first_seen)              as first_seen
        max(last_seen)               as last_seen
        latest(user_email)           as user_email
        latest(user_display_name)    as user_display_name
        latest(user_jobtitle)        as user_jobtitle
   by user_id

``` Step 4: derive a status flag - "active" if last_seen is today, "dormant"   ```
``` if it has been more than 7 days since the user appeared in the snapshot.   ```
``` Threshold tunable to your add-on's metadata refresh cadence (default ~1d). ```
| eval today  = strftime(now(),                "%Y-%m-%d")
| eval seenat = strftime(strptime(last_seen, "%Y-%m-%dT%H:%M:%SZ"), "%Y-%m-%d")
| eval status = if(relative_time(now(), "-7d") &gt; strptime(last_seen, "%Y-%m-%dT%H:%M:%SZ"),
                   "dormant", "active")
| fields - today, seenat

| outputlookup oauthsentry_user_directory.csv</pre>
            </div>
            <p>Schedule this on the same cadence as the add-on's metadata refresh (typically daily). The lookup grows monotonically by exactly the number of new users onboarded that day - in a 5,000-seat tenant with ~5 new hires/week, this stays well under 1 MB even after years of accumulation.</p>

            <h4>Option B - Sign-in-log harvest (when the M365 add-on is not deployed)</h4>
            <p>Walk the Entra sign-in log over a sliding window and build the directory from observed users. Works the moment you have sign-in logs; the only gap is users who haven't signed in within the lookback window. Schedule this search to run daily:</p>
            <div class="code-block">
              <div class="code-header">SPL - daily build of the user directory from sign-in logs<button class="copy-snippet" type="button">copy</button></div>
              <pre>``` Run on schedule. Sourcetype is whatever your environment uses for       ```
``` SignInLogs - mscs:azure:signinlogs, azure:audit:signinlogs, or filtered ```
``` from mscs:azure:eventhub by category=SignInLogs. Verify with:           ```
```   index=o365 | stats count by sourcetype, category                      ```

index=o365 sourcetype="mscs:azure:signinlogs" earliest=-30d
| eval user_id = lower('properties.userId')
| where isnotnull(user_id) AND user_id != ""
| stats latest(properties.userPrincipalName) as user_email
        latest(properties.userDisplayName)   as user_display_name
        latest(_time)                         as last_seen
   by user_id
| outputlookup oauthsentry_user_directory.csv</pre>
            </div>
            <p>The same append-only history pattern from Option A.2 above applies here too if you want to preserve users who haven't signed in recently - swap the snapshot source for the sign-in log query and keep the rest identical.</p>

            <h4>Option C - Service principal directory (separate stream, app-only flows)</h4>
            <p>App-only Graph activity logs surface <code>servicePrincipalId</code> instead of <code>userId</code>. Service principals appear in the dedicated <code>ServicePrincipalSignInLogs</code> stream, not the regular sign-in log, so they need a separate harvest. The pattern is the same:</p>
            <div class="code-block">
              <div class="code-header">SPL - daily build of the service principal directory<button class="copy-snippet" type="button">copy</button></div>
              <pre>index=o365 sourcetype="mscs:azure:signinlogs" category=ServicePrincipalSignInLogs earliest=-30d
| eval sp_object_id = lower('properties.servicePrincipalId')
| where isnotnull(sp_object_id) AND sp_object_id != ""
| stats latest(properties.servicePrincipalName) as sp_name
        latest(properties.appId)                as app_id
        latest(properties.appDisplayName)       as app_display_name
        latest(_time)                            as last_seen
   by sp_object_id
| outputlookup oauthsentry_sp_directory.csv</pre>
            </div>

            <h4>Option D - Authoritative pull from Microsoft Graph (most complete, most plumbing)</h4>
            <p>The two harvests above only catch principals that have signed in within the lookback window. To get every user and SP in the tenant - including dormant accounts, freshly provisioned users that haven't signed in yet, and SPs that exist but haven't authenticated - pull directly from Graph. Requires a service principal in your tenant with <code>User.Read.All</code> + <code>Application.Read.All</code> application permissions, and either Splunk's REST modular input or a small scheduled cron that runs <code>curl</code> + <code>jq</code> and writes to the lookup file. Sample shell pipeline (run nightly under a service account):</p>
            <div class="code-block">
              <div class="code-header">bash - nightly pull of the full tenant directory<button class="copy-snippet" type="button">copy</button></div>
              <pre>``` Set GRAPH_ACCESS_TOKEN out-of-band via your secrets store. ```
TENANT_ID="your-tenant-id"
TOKEN=$(curl -s -X POST "https://login.microsoftonline.com/$TENANT_ID/oauth2/v2.0/token" \
  -d "client_id=$CLIENT_ID" \
  -d "client_secret=$CLIENT_SECRET" \
  -d "scope=https://graph.microsoft.com/.default" \
  -d "grant_type=client_credentials" \
  | jq -r '.access_token')

``` Pull every user with paging until @odata.nextLink stops returning ```
URL="https://graph.microsoft.com/v1.0/users?\$select=id,userPrincipalName,displayName&\$top=999"
echo "object_id,upn,display_name" &gt; /tmp/oauthsentry_user_directory.csv
while [ -n "$URL" ]; do
  RESP=$(curl -s -H "Authorization: Bearer $TOKEN" "$URL")
  echo "$RESP" | jq -r '.value[] | [.id, .userPrincipalName, .displayName] | @csv' \
    &gt;&gt; /tmp/oauthsentry_user_directory.csv
  URL=$(echo "$RESP" | jq -r '."@odata.nextLink" // empty')
done

``` Same approach for service principals; targets /servicePrincipals endpoint. ```

``` Then push the CSV to your Splunk search head. Easiest path: REST POST to    ```
``` services/data/lookup-table-files. Or write to a shared NFS mount that the   ```
``` Splunk indexers / search heads already include in their lookup paths.       ```</pre>
            </div>

            <h4>Using the lookup in any other detection</h4>
            <p>Once one of the four options above is populating the lookup file on a daily cadence, every other detection in this tab gets username enrichment with one extra line. Place this at the end of any search that produces a <code>req_userid</code> column. The example below uses the column names from Option A.2 (the recommended path); if you used Option B, swap <code>user_id</code> for <code>object_id</code> and <code>user_email</code>/<code>user_display_name</code> for <code>upn</code>/<code>display_name</code>:</p>
            <div class="code-block">
              <div class="code-header">SPL - one-line enrichment for any detection<button class="copy-snippet" type="button">copy</button></div>
              <pre>| eval lookup_key = lower(req_userid)
| lookup oauthsentry_user_directory.csv user_id as lookup_key
    OUTPUT user_email, user_display_name, user_jobtitle, status, first_seen, last_seen

``` For app-only flows, swap to the SP directory: ```
| eval lookup_key = lower(req_spid)
| lookup oauthsentry_sp_directory.csv sp_object_id as lookup_key
    OUTPUT sp_name, app_display_name</pre>
            </div>

            <p>Tuning recommendations specific to this directory:</p>
            <ul>
              <li><strong>Refresh cadence</strong>: daily is fine for username enrichment. New employees onboard in hours and the worst case is one alert with an unresolved object id - run an on-demand refresh if that happens during an active incident. Hourly refresh is overkill and costs CPU.</li>
              <li><strong>Lookback window for Option B</strong>: 30 days is the right balance for the sign-in-log harvest. Shorter windows miss occasional users; longer windows include departed employees whose UPN is now stale (Microsoft renames them to <code>UserName_yyyymmddT...#EXT#@tenant.onmicrosoft.com</code> after a soft-delete). For Option A the question is moot - the M365 metadata stream is authoritative for your tenant's current directory regardless of recent sign-in activity. For Option D you pull the live directory and the question doesn't apply.</li>
              <li><strong>Pick one, not all four</strong>: Option A.2 (M365 metadata with append-only history) covers the vast majority of teams. Option B is the fallback when the M365 add-on is not deployed. Option C is required only if you have detections that pivot on <code>servicePrincipalId</code> (Detection 12 doesn't, but Detection 10 with the app-only suppression logic might). Option D is for teams that need authoritative coverage of users who have never signed in - rare. Combining options creates a join cost and a versioning headache; one good source beats three half-maintained ones.</li>
              <li><strong>Don't put PII in the lookup beyond what you need</strong>: <code>object_id</code>, <code>upn</code>, <code>display_name</code> are sufficient for triage. Avoid pulling <code>jobTitle</code>, <code>department</code>, <code>officeLocation</code> etc. unless your IR team has a specific reason and your data classification allows it.</li>
              <li><strong>Audit the SP that pulls the directory</strong>: if you implement Option D, the SP itself needs <code>User.Read.All</code> + <code>Application.Read.All</code> - those are powerful permissions. Add the SP's own object id to your <code>oauthsentry_compliance</code> lookup so detections don't false-positive on its own activity, and rotate its credential like any other long-lived secret.</li>
            </ul>

            <h3>Tuning notes</h3>
            <ul>
              <li>The macros above reference three OAuthSentry catalog lookups (<code>oauthsentry_malicious</code>, <code>oauthsentry_risky</code>, <code>oauthsentry_compliance</code>) plus two optional directory lookups (<code>oauthsentry_user_directory.csv</code> and <code>oauthsentry_sp_directory.csv</code>) that Detection 13 maintains. The catalog lookups identify which app id matters; the directory lookups translate object ids into human-readable names. Both classes are CSV with at minimum a key column; populate the catalog lookups from <code>/feeds/all/{malicious,risky,compliance}.csv</code> on whatever cadence makes sense for your tenant. Splunk's built-in <em>Lookup Editor</em> app or a scheduled <code>| outputlookup</code> from a REST search are both fine.</li>
              <li>Detection 13 is not an alert in itself - it produces the <code>oauthsentry_user_directory</code> and <code>oauthsentry_sp_directory</code> lookups that every other detection above can use to enrich a bare object id into a name. Strongly recommended as a one-time setup; without it, every detection alert reads "user &lt;guid&gt;" instead of "user alice@yourdomain.com (Senior Finance Analyst)".</li>
              <li>The <a href="#enrichment-pattern" data-route="/investigation/detections">reusable enrichment pattern</a> at the top of this tab is the canonical SPL block for adding user, role and app-name resolution + risk-tier escalation to any detection's output. Detections 10/11/12 explicitly call it out in their tuning sections; Detections 1, 2, 4, 8 already filter on app classification so they only need step 1 (user-directory lookup) appended at the end of the search. The pattern is documented once instead of being copy-pasted into thirteen SPL blocks.</li>
              <li>Detection 3 (newly observed OAuth app) is the noisiest but the most valuable. Tune by adding an extra anti-join against <code>oauthsentry_compliance</code> if you want to suppress already-vetted apps automatically.</li>
              <li>Detections 1, 2, 8, 9, 10, 11, 12 are high-fidelity enough to alert on (Detection 10 specifically when the actor is a non-admin and <code>$top</code> is &gt;= 50; Detection 11 at the critical 10,000-record/1h tier; Detection 12 at the critical 100 MB/1h tier). Detections 3, 4, 5, 6 work better as scheduled hunts with daily review. Detection 7 is investigator-driven, not an alert. Detection 13 is infrastructure - it doesn't fire alerts itself, it builds the directory lookups that the other detections enrich against.</li>
              <li>Apps in the <em>risky</em> bucket are legitimate. Trigger on context (unusual user, new IP, new geography) rather than on the app id alone - detections 2 and 5 demonstrate the pattern.</li>
              <li>Where the unified audit log surfaces both <code>SessionId</code> directly and <code>AppAccessContext.AADSessionId</code>, prefer the latter - it is consistently populated for OAuth-token-driven activity, while bare <code>SessionId</code> is only present on Exchange events.</li>
              <li>The M365 Management Activity API sometimes appends a trailing period to operation names (<code>"Consent to application."</code>); Azure Monitor's diagnostic stream does not. Every search above normalises with <code>eval Operation = replace(Operation, "\.$", "")</code> so the same SPL works across both pipelines.</li>
              <li>If a search returns nothing where you expected results, <code>tail 1</code> a raw event from the relevant sourcetype and confirm the field paths match - some Splunk add-ons CIM-map <code>appId</code>, <code>ipAddress</code> and friends to flat lowercase aliases (<code>app</code>, <code>src</code>) that override the JSON-extracted versions.</li>
            </ul>

            <h3>Integrating with your existing detection stack</h3>
            <p>The thirteen detections above assume you're starting from scratch. If you already run an Entra/M365 detection stack - and most teams do - OAuthSentry's three feeds plug into rules you already have. Four patterns; each one is a small surgical change that takes a hand-maintained list off your plate or sharpens an alert tier you've already tuned.</p>

            <h4>Pattern 1: replace a hand-maintained "suspicious app id" lookup</h4>
            <p>If you have a rule like "alert when a user signs in from an app id on our internal suspicious-apps lookup" or "alert on consent to an app on our blocklist", swap the lookup for the OAuthSentry malicious feed. Same logic, daily-refreshed list, community-curated rather than a spreadsheet someone updates when they remember to.</p>
            <div class="code-block">
              <div class="code-header">SPL - before / after<button class="copy-snippet" type="button">copy</button></div>
              <pre>``` Before: hand-maintained lookup ```
... | lookup my_suspicious_apps appid OUTPUT severity comment
    | where isnotnull(severity)

``` After: OAuthSentry feeds, with risky as a second tier ```
... | `oauthsentry_malicious_lookup`
    | `oauthsentry_risky_lookup`
    | where oas_category="malicious" OR isnotnull(oas_risky_category)
    | eval severity = coalesce(oas_severity, oas_risky_severity)
    | eval bucket   = coalesce(oas_category, oas_risky_category)</pre>
            </div>

            <h4>Pattern 2: enrich an existing alert with severity / category</h4>
            <p>For rules that already fire on a real signal (mailbox accessed by an SP with a suspicious user agent, email deleted by an SP, service-account token sign-in, etc.), don't change the trigger - stamp the OAuthSentry verdict onto the alert so triage starts with context instead of a raw GUID. The analyst opens the ticket and sees <code>appid = AzureHound (risky-bucket)</code> instead of "<code>appid = some-guid, go look it up</code>".</p>
            <div class="code-block">
              <div class="code-header">SPL - enrichment block<button class="copy-snippet" type="button">copy</button></div>
              <pre>``` Add to the tail of any rule whose alert object contains an appid field. ```
``` Doesn't change firing logic, just stamps a verdict on every alert. ```
| `oauthsentry_malicious_lookup`
| `oauthsentry_risky_lookup`
| `oauthsentry_compliance_lookup`
| eval oas_verdict = case(
    oas_category    = "malicious",          "MALICIOUS - " . oas_comment,
    isnotnull(oas_risky_category),          "RISKY - "     . oas_risky_category,
    isnotnull(oas_compliance_category),     "COMPLIANCE - ". oas_compliance_category,
    true(),                                 "UNKNOWN")
| eval alert_priority = case(
    oas_category="malicious",               "P1",
    isnotnull(oas_risky_category),          "P2",
    isnotnull(oas_compliance_category),     "P4",
    true(),                                 "P3")</pre>
            </div>

            <h4>Pattern 3: suppress noise on "rare application consent" with the compliance feed</h4>
            <p>The classic baseline detection - "alert when we see a new app id we haven't observed in 90 days" - is the highest-value hunt and the noisiest detection. Joining against the compliance feed as an anti-filter drops legitimate first-party and well-known third-party apps automatically; what remains is the actual signal.</p>
            <div class="code-block">
              <div class="code-header">SPL - rare-consent suppression<button class="copy-snippet" type="button">copy</button></div>
              <pre>``` Your existing "rare application consent" rule, whatever it looks like ```
your_existing_rare_consent_search

``` Drop apps that are on the compliance feed - first-party + well-known SaaS ```
| `oauthsentry_compliance_lookup`
| where isnull(oas_compliance_category)

``` Optionally: positively flag the malicious / risky tier so the alert lands ```
``` already-tiered rather than as a flat "rare app" stream ```
| `oauthsentry_malicious_lookup`
| `oauthsentry_risky_lookup`
| eval tier = case(
    oas_category="malicious",               "confirmed-malicious",
    isnotnull(oas_risky_category),          "legit-but-abusable",
    true(),                                 "truly-unknown")</pre>
            </div>

            <h4>Pattern 4: correlate OAuth events with downstream attacker behavior</h4>
            <p>Attackers who compromise an account via OAuth consent typically pivot within 24-72 hours: enumerate the directory, create inbox forwarding rules, delete mail traces, exfil files. If you have rules for those downstream behaviors, a backward-look subsearch into recent consent events lets you escalate severity when both halves of the chain are present in the same window.</p>
            <div class="code-block">
              <div class="code-header">SPL - downstream-behavior backward-look<button class="copy-snippet" type="button">copy</button></div>
              <pre>``` Your existing rule for downstream behavior - inbox rule creation, ```
``` directory enumeration, bulk file access, anything attacker-typical. ```
your_existing_downstream_search
| eval upn = lower(userPrincipalName)

``` Look back 72h: did this same user consent to a non-compliance app? ```
| join type=left upn [
    search `oauthsentry_o365_audit` Operation="Consent to application" earliest=-72h
    | spath path=ModifiedProperties{}.NewValue output=mp_values
    | rex field=mp_values "(?&lt;recent_appid&gt;[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})"
    | eval upn = lower(UserId)
    | `oauthsentry_compliance_lookup`
    | where isnull(oas_compliance_category)
    | stats values(recent_appid) as recent_consent_appids by upn
  ]

``` If both halves chained, severity escalates ```
| eval severity = if(isnotnull(recent_consent_appids), "P1-chained", "P3-standalone")</pre>
            </div>

            <div class="callout">
              <strong>One pattern per rule, not all four</strong>
              These patterns are alternatives, not a stack. Pick the one that fits each rule. Rules with a hand-maintained list of bad app ids want pattern 1. Rules that already fire on a real signal want pattern 2. Baseline-driven "rare X" rules want pattern 3. Downstream-behavior rules want pattern 4. Mixing patterns 1 and 3 on the same rule (replace lookup AND suppress with compliance) is fine and common; the others usually don't combine cleanly.
            </div>
          </div>
        </div>

        <!-- ===== Hunting ===== -->
        <div class="invest-section" id="sub-hunting" hidden>
          <div class="doc-block">
            <h2>Hunting playbooks</h2>
            <p class="doc-lede">Detections fire on known-bad. Hunts find unknown-bad. These are scheduled queries that surface anomalies for triage rather than auto-page. Each is built around a baseline of "what is normal in this tenant" - run them weekly, review the deltas, promote anything actionable into the Detections tab.</p>

            <h3><span class="num">1</span> Newly observed application IDs</h3>
            <p>The single highest-value hunt. Any app id seen authenticating in your tenant for the first time in 90 days deserves a look, regardless of whether it's a malicious app, a risky-bucket app, or a legitimate one being adopted by a department.</p>
            <div class="code-block">
              <div class="code-header">SPL<button class="copy-snippet" type="button">copy</button></div>
              <pre>``` Run weekly. Lookback: last 7 days vs prior 90. ```
`oauthsentry_aad_sp_signin` resultType="0" earliest=-7d
| eval appid = lower(appId)
| stats earliest(_time) as first_seen
        dc(uniqueTokenIdentifier)    as token_count
        values(ipAddress)            as ips
        values(location)             as countries
        values(resourceDisplayName)  as resources
        values(servicePrincipalName) as sp_name
        values(appOwnerTenantId)     as owner_tenants
    by appid

``` Drop apps that have signed in in the prior 90 days. ```
| search NOT [
    search `oauthsentry_aad_sp_signin` resultType="0" earliest=-97d latest=-7d
    | eval appid = lower(appId)
    | dedup appid
    | fields appid
  ]

``` Tag Microsoft first-party tenants so triage can focus on third-party apps. ```
| eval owner_known = if(isnotnull(mvfind(owner_tenants,
        "f8cdef31-a31e-4b4a-93e4-5f571e91255a|72f988bf-86f1-41af-91ab-2d7cd011db47")),
        "microsoft", "third-party")
| convert ctime(first_seen)
| sort first_seen</pre>
            </div>

            <h3><span class="num">2</span> FOCI app spike from anomalous geography</h3>
            <p>TeamFiltration / UNK_SneakyStrike abuses family refresh tokens by signing in to multiple FOCI apps in quick succession from rotating AWS regions. The signature is a non-interactive sign-in surge against several of the family client IDs from a country the user has never signed in from before. (Note: Microsoft Authentication Broker <code>29d9ed98-a469-4536-ade2-f981bc1d605e</code> is not on Secureworks' canonical FOCI list - it's a separate device-code phishing vector. The companion query at the bottom hunts that path.)</p>
            <div class="code-block">
              <div class="code-header">SPL<button class="copy-snippet" type="button">copy</button></div>
              <pre>`oauthsentry_aad_signin` category=NonInteractiveUserSignInLogs resultType="0" earliest=-7d
    appId IN (
      "04b07795-8ddb-461a-bbee-02f9e1bf7b46",   ``` Azure CLI ```
      "1950a258-227b-4e31-a9cf-717495945fc2",   ``` Azure PowerShell ```
      "1fec8e78-bce4-4aaf-ab1b-5451cc387264",   ``` Microsoft Teams ```
      "d3590ed6-52b3-4102-aeff-aad2292ab01c",   ``` Microsoft Office ```
      "ab9b8c07-8f02-4f72-87fa-80105867a763",   ``` OneDrive SyncEngine ```
      "27922004-5251-4030-b22d-91ecd9a37ea4",   ``` Outlook Mobile ```
      "4813382a-8fa7-425e-ab75-3b753aab3abb",   ``` Authenticator App ```
      "872cd9fa-d31f-45e0-9eab-6e460a02d1f1",   ``` Visual Studio ```
      "00b41c95-dab0-4487-9791-b9d2c32c80f2",   ``` Office 365 Management ```
      "af124e86-4e96-495a-b70a-90f90ab96707",   ``` OneDrive iOS App ```
      "26a7ee05-5602-4d76-a7ba-eae8b7b67941"    ``` Windows Search ```
    )
| eval upn = lower(userPrincipalName)
| eval country = location

``` Anti-join against the prior 180 days of (user, country) pairs. ```
| join type=leftanti upn, country [
    search `oauthsentry_aad_signin` category=NonInteractiveUserSignInLogs resultType="0"
           earliest=-187d latest=-7d
    | eval upn = lower(userPrincipalName)
    | eval country = location
    | dedup upn, country
    | fields upn, country
  ]

``` Group by user-and-hour, fire when 3+ FOCI apps appear in the same hour. ```
| bin _time span=1h
| stats dc(appId)              as foci_app_count
        values(appDisplayName) as apps
        values(ipAddress)      as ips
        any(country)           as country
        count                  as sign_ins
    by upn, _time
| where foci_app_count &gt;= 3
| convert ctime(_time)
| sort - sign_ins

``` Companion hunt: device-code phishing via Microsoft Authentication Broker (UTA0355 / Storm-2372). ```
``` MAB is not FOCI, but it's the standard PRT-issuance client and the most commonly phished one. ```
`oauthsentry_aad_signin` appId="29d9ed98-a469-4536-ade2-f981bc1d605e"
    authenticationProtocol=deviceCode resultType="0" earliest=-7d
| table _time userPrincipalName ipAddress location resourceDisplayName 'deviceDetail.deviceId'
| sort _time</pre>
            </div>

            <h3><span class="num">3</span> Service principals signing in from a single IP only</h3>
            <p>Service principals are usually accessed by automation that has stable infrastructure: an SP that has only ever been seen from one IP in the last 30 days is unusual. Combined with low call volume, it's a candidate for an attacker-mounted credential.</p>
            <div class="code-block">
              <div class="code-header">SPL<button class="copy-snippet" type="button">copy</button></div>
              <pre>`oauthsentry_aad_sp_signin` resultType="0" earliest=-30d
| eval appid = lower(appId)

``` eventstats annotates each event with the dc(ipAddress) for its appid; we then keep only events for apps with ip_count = 1. ```
| eventstats dc(ipAddress) as ip_count by appid
| where ip_count = 1

| stats count                        as sign_ins
        values(ipAddress)            as src_ip
        values(servicePrincipalName) as sp_name
        earliest(_time)              as first_seen
        latest(_time)                as last_seen
    by appid
| where sign_ins &lt; 50   ``` tune to your tenant volume ```
| convert ctime(first_seen) ctime(last_seen)
| sort first_seen</pre>
            </div>

            <h3><span class="num">4</span> Federated identity credential added to an application</h3>
            <p>Federated credentials are subtle persistence: there is no client secret to spot in a credential audit, the credential record is small, and to the audit log it looks like a routine application update. Run weekly across the whole tenant; the volume should be near zero in most environments. Field paths assume Azure Monitor diagnostic stream layout (<code>properties.targetResources[].modifiedProperties[]</code>); see the tuning note below if your TA flattens them differently.</p>
            <div class="code-block">
              <div class="code-header">SPL<button class="copy-snippet" type="button">copy</button></div>
              <pre>`oauthsentry_aad_audit` earliest=-7d
| eval Operation = replace(coalesce(operationName, Operation), "\.$", "")
| where Operation IN ("Add federated identity credential",
                       "Update federated identity credential")

``` Pull modifiedProperties out of properties.targetResources[0].modifiedProperties[] ```
| spath path="properties.targetResources{}.modifiedProperties{}.displayName" output=mp_names
| spath path="properties.targetResources{}.modifiedProperties{}.newValue"    output=mp_values
| spath path="properties.targetResources{}.displayName"                      output=app_names

``` Initiator can be a user or another app (e.g. an automation pipeline) ```
| spath path="properties.initiatedBy.user.userPrincipalName" output=user_init
| spath path="properties.initiatedBy.app.displayName"        output=app_init
| eval initiator = coalesce(user_init, app_init)
| eval app_name  = mvindex(app_names, 0)

| eval issuer_idx  = mvfind(mp_names, "(?i)^issuer$")
| eval issuer      = mvindex(mp_values, issuer_idx)
| eval subject_idx = mvfind(mp_names, "(?i)^subject$")
| eval subject     = mvindex(mp_values, subject_idx)

| table _time Operation initiator app_name issuer subject correlationId
| sort - _time</pre>
            </div>

            <h3><span class="num">5</span> Actor Token Forgery retrospective hunt (CVE-2025-55241)</h3>
            <p>Patched September 2025, but pre-patch abuse leaves few traces. The cleanest residual signal: an audit-log action where the <code>initiatedBy.user.displayName</code> matches a Microsoft service name (<em>Office 365 Exchange Online</em>, <em>Microsoft Graph</em>, etc.) but the <code>userPrincipalName</code> is a real human's UPN. Microsoft services don't sign in as humans.</p>
            <div class="code-block">
              <div class="code-header">SPL<button class="copy-snippet" type="button">copy</button></div>
              <pre>``` Go back as far as your retention allows. ```
`oauthsentry_aad_audit` earliest=-180d
| spath path="properties.initiatedBy.user.userPrincipalName" output=upn_raw
| spath path="properties.initiatedBy.user.displayName"       output=svc_name
| where isnotnull(upn_raw)
| eval upn = lower(upn_raw)

``` The mismatch is the smoking gun: service-name initiator + real-looking UPN. ```
| where svc_name IN (
    "Office 365 Exchange Online", "Microsoft Graph",
    "Office 365 SharePoint Online", "Skype for Business Online",
    "Microsoft Teams Services", "Microsoft Intune",
    "Azure Multi-Factor Auth Client", "Microsoft Office 365 Portal"
  )
| where match(upn, "^[^@]+@[^@]+\.[a-z]+$")

``` Drop the legitimate combo of MS-tenant onmicrosoft.com UPNs running MS service ops. ```
| where NOT (match(upn, "@onmicrosoft\.com$") AND match(svc_name, "(?i)^Microsoft"))

| eval Operation = replace(coalesce(operationName, Operation), "\.$", "")
| table _time Operation svc_name upn correlationId
| sort _time</pre>
            </div>

            <h3><span class="num">6</span> Service principal credential added without a corresponding privileged role</h3>
            <p>Adding a credential to a service principal is sometimes legitimate (admin rotating a secret). It is suspicious when the initiator does not currently hold a role that would justify it. Joins audit logs against role-membership audits.</p>
            <div class="code-block">
              <div class="code-header">SPL<button class="copy-snippet" type="button">copy</button></div>
              <pre>`oauthsentry_aad_audit` earliest=-30d
| eval Operation = replace(coalesce(operationName, Operation), "\.$", "")
| where Operation IN ("Add service principal credentials",
                       "Update application - Certificates and secrets management")

| spath path="properties.targetResources{}.id"               output=tgt_ids
| spath path="properties.targetResources{}.displayName"      output=tgt_names
| spath path="properties.initiatedBy.user.id"                output=init_id
| spath path="properties.initiatedBy.user.userPrincipalName" output=init_upn
| eval sp_id   = mvindex(tgt_ids, 0)
| eval sp_name = mvindex(tgt_names, 0)

``` Anti-join: drop initiators who hold a privileged role assignment. ```
| join type=leftanti init_id [
    search `oauthsentry_aad_audit` earliest=-365d
    | eval Operation = replace(coalesce(operationName, Operation), "\.$", "")
    | where Operation = "Add member to role"
    | spath path="properties.targetResources{}.modifiedProperties{}.newValue" output=role_changes
    | where match(mvjoin(role_changes, " "),
        "(?i)Application Administrator|Cloud Application Administrator|Global Administrator|Privileged Role Administrator")
    | spath path="properties.targetResources{}.id" output=role_target_id
    | eval init_id = mvindex(role_target_id, 0)
    | dedup init_id
    | fields init_id
  ]

| table _time sp_name sp_id init_upn correlationId
| sort - _time</pre>
            </div>

            <h3><span class="num">7</span> CAE-aware token issuance to anomalous (user, IP) pairs</h3>
            <p>From AADInternals research. CAE tokens last ~24-28h instead of ~1h - normally a security feature, but attackers prefer them when available because they survive longer between forced re-authentications. Hunt for sign-ins issuing CAE-aware tokens to (user, IP) combinations not seen in the prior 180 days.</p>
            <div class="code-block">
              <div class="code-header">SPL<button class="copy-snippet" type="button">copy</button></div>
              <pre>`oauthsentry_aad_signin` (category=SignInLogs OR category=NonInteractiveUserSignInLogs) earliest=-7d

``` AuthenticationProcessingDetails is an array of {key, value} pairs; pull "Is CAE Token". ```
| spath path="properties.authenticationProcessingDetails{}.key"   output=apd_keys
| spath path="properties.authenticationProcessingDetails{}.value" output=apd_values
| eval cae_idx = mvfind(apd_keys, "(?i)Is CAE Token")
| where isnotnull(cae_idx)
| eval is_cae = lower(mvindex(apd_values, cae_idx))
| where is_cae = "true"

| eval upn = lower(userPrincipalName)

``` Drop (user, IP) pairs that are already familiar in the last 180 days. ```
| join type=leftanti upn, ipAddress [
    search `oauthsentry_aad_signin` category=SignInLogs earliest=-187d latest=-7d
    | eval upn = lower(userPrincipalName)
    | dedup upn, ipAddress
    | fields upn, ipAddress
  ]

| table _time upn appId appDisplayName resourceIdentity ipAddress location uniqueTokenIdentifier
| sort _time</pre>
            </div>

            <h3><span class="num">8</span> Non-developer principals using developer-tool app IDs</h3>
            <p>A senior accountant using Visual Studio Code? Possible. A senior accountant using Azure CLI for the first time ever? Almost certainly not. The ConsentFix campaign and UTA0352 both exploit pre-consented developer-tool apps that ordinary users have no business touching.</p>
            <div class="code-block">
              <div class="code-header">SPL<button class="copy-snippet" type="button">copy</button></div>
              <pre>`oauthsentry_aad_signin` (category=SignInLogs OR category=NonInteractiveUserSignInLogs)
    resultType="0" earliest=-14d
    appId IN (
      "04b07795-8ddb-461a-bbee-02f9e1bf7b46",   ``` Azure CLI ```
      "1950a258-227b-4e31-a9cf-717495945fc2",   ``` Azure PowerShell ```
      "aebc6443-996d-45c2-90f0-388ff96faa56",   ``` Visual Studio Code ```
      "04f0c124-f2bc-4f59-8241-bf6df9866bbd",   ``` Visual Studio ```
      "872cd9fa-d31f-45e0-9eab-6e460a02d1f1"    ``` Visual Studio (older client) ```
    )
| eval upn = lower(userPrincipalName)

``` Drop users who already use any of these apps in the prior 180 days. ```
| join type=leftanti upn [
    search `oauthsentry_aad_signin` (category=SignInLogs OR category=NonInteractiveUserSignInLogs)
           resultType="0" earliest=-194d latest=-14d
        appId IN (
          "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
          "1950a258-227b-4e31-a9cf-717495945fc2",
          "aebc6443-996d-45c2-90f0-388ff96faa56",
          "04f0c124-f2bc-4f59-8241-bf6df9866bbd",
          "872cd9fa-d31f-45e0-9eab-6e460a02d1f1"
        )
    | eval upn = lower(userPrincipalName)
    | dedup upn
    | fields upn
  ]

| table _time upn appDisplayName appId ipAddress location userAgent authenticationProtocol
| sort _time</pre>
            </div>

            <h3><span class="num">9</span> FOCI app token used outside the app's normal Graph traffic shape</h3>
            <p>Each FOCI app has a stable set of resources it normally talks to: Microsoft Office hits <code>/me/messages</code>, <code>/me/drive</code>, <code>/me/calendar</code>, <code>/me/joinedTeams</code>; Teams hits <code>/chats</code>, <code>/teams</code>; OneDrive hits <code>/me/drive</code>; Authenticator hits <code>/me</code> and the device endpoints. Calls from any FOCI app to <code>/users</code>, <code>/groups</code>, <code>/directoryRoles</code>, <code>/applications</code>, <code>/servicePrincipals</code> or <code>/devices</code> are post-token-theft directory recon by definition. This hunt builds a 90-day baseline of the (FOCI app, resource family) pairs your tenant actually sees, then surfaces any pair that breaks out of it.</p>
            <div class="code-block">
              <div class="code-header">SPL<button class="copy-snippet" type="button">copy</button></div>
              <pre>`oauthsentry_graph_activity` earliest=-7d
| eval req_uri    = 'properties.requestUri'
| eval req_appid  = 'properties.appId'
| eval req_spid   = 'properties.servicePrincipalId'
| eval req_userid = coalesce('properties.userId', 'properties.UserPrincipalObjectID', req_spid)
| eval req_ip     = coalesce('properties.ipAddress', callerIpAddress)

``` Restrict to FOCI apps ```
| where lower(req_appid) IN (
    "04b07795-8ddb-461a-bbee-02f9e1bf7b46","1950a258-227b-4e31-a9cf-717495945fc2",
    "1fec8e78-bce4-4aaf-ab1b-5451cc387264","d3590ed6-52b3-4102-aeff-aad2292ab01c",
    "ab9b8c07-8f02-4f72-87fa-80105867a763","27922004-5251-4030-b22d-91ecd9a37ea4",
    "4813382a-8fa7-425e-ab75-3b753aab3abb","872cd9fa-d31f-45e0-9eab-6e460a02d1f1",
    "00b41c95-dab0-4487-9791-b9d2c32c80f2","af124e86-4e96-495a-b70a-90f90ab96707",
    "26a7ee05-5602-4d76-a7ba-eae8b7b67941"
  )

``` Normalise the endpoint to its resource family - the first segment after /v1.0/ ```
| rex field=req_uri "(?i)/v1\.0/(?&lt;resource&gt;[a-zA-Z]+)"
| eval resource = lower(resource)

``` Only the resources that have no business being touched by FOCI clients ```
| where resource IN ("users","groups","directoryroles","applications","serviceprincipals","devices")

``` Anti-join: drop (appid, resource) pairs that are commonplace in YOUR tenant ```
``` over the prior 90 days. Tune by lowering the count threshold below if your    ```
``` tenant has very low Graph volume; remove the join entirely to see raw hits.   ```
| join type=leftanti req_appid, resource [
    search `oauthsentry_graph_activity` earliest=-97d latest=-7d
    | eval req_uri   = 'properties.requestUri'
    | eval req_appid = 'properties.appId'
    | rex field=req_uri "(?i)/v1\.0/(?&lt;resource&gt;[a-zA-Z]+)"
    | eval resource = lower(resource)
    | stats count by req_appid, resource
    | where count &gt; 100
    | fields req_appid, resource
  ]

| stats count
        values(resource)   as resources_hit
        values(req_uri)    as endpoints
        values(req_userid) as users
        values(req_ip)     as src_ips
        earliest(_time)    as first_seen
        latest(_time)      as last_seen
    by req_appid
| convert ctime(first_seen) ctime(last_seen)
| sort - count</pre>
            </div>

            <h3><span class="num">10</span> Anomalous user-agents on Graph calls from FOCI apps</h3>
            <p>Real Microsoft Office, Teams, OneDrive and Authenticator clients set well-known UA strings that include the OS, the client version and the Microsoft client identifier. Graph calls from FOCI app ids carrying any of: <code>Trident</code> (Internet Explorer 11, end-of-life since 2022), <code>python-requests</code>, <code>Go-http-client</code>, <code>Java/</code>, <code>curl/</code>, ROADtools / MSAL-Python / aiohttp / OkHttp identifiers, or doubly-prefixed <code>User-Agent: User-Agent: ...</code> headers (a tooling artifact that surfaces in some attacker frameworks) are by-definition anomalous. The signal is fuzzy on its own - one or two false positives are normal - but the combination of FOCI app + tooling-style UA + non-routine resource (anti-correlate with Hunt 9) is high-confidence.</p>
            <div class="code-block">
              <div class="code-header">SPL<button class="copy-snippet" type="button">copy</button></div>
              <pre>`oauthsentry_graph_activity` earliest=-7d
| eval req_uri    = 'properties.requestUri'
| eval req_appid  = 'properties.appId'
| eval req_ua     = 'properties.userAgent'
| eval req_spid   = 'properties.servicePrincipalId'
| eval req_userid = coalesce('properties.userId', 'properties.UserPrincipalObjectID', req_spid)
| eval req_ip     = coalesce('properties.ipAddress', callerIpAddress)
| eval req_uti    = 'properties.signInActivityId'

| where lower(req_appid) IN (
    "04b07795-8ddb-461a-bbee-02f9e1bf7b46","1950a258-227b-4e31-a9cf-717495945fc2",
    "1fec8e78-bce4-4aaf-ab1b-5451cc387264","d3590ed6-52b3-4102-aeff-aad2292ab01c",
    "ab9b8c07-8f02-4f72-87fa-80105867a763","27922004-5251-4030-b22d-91ecd9a37ea4",
    "4813382a-8fa7-425e-ab75-3b753aab3abb","872cd9fa-d31f-45e0-9eab-6e460a02d1f1",
    "00b41c95-dab0-4487-9791-b9d2c32c80f2","af124e86-4e96-495a-b70a-90f90ab96707",
    "26a7ee05-5602-4d76-a7ba-eae8b7b67941"
  )

``` Classify the UA. case() returns the first matching tag; ok = ignore. ```
| eval ua_flag = case(
    match(req_ua, "(?i)^User-Agent:\s*User-Agent:"),     "double-prefixed",
    match(req_ua, "(?i)Trident/"),                       "ie11-trident",
    match(req_ua, "(?i)python-requests"),                "python-requests",
    match(req_ua, "(?i)Go-http-client"),                 "go-http-client",
    match(req_ua, "(?i)Java/"),                          "java",
    match(req_ua, "(?i)\bcurl/"),                        "curl",
    match(req_ua, "(?i)ROADtools|MSAL.+Python|aiohttp|okhttp"), "known-recon-tooling",
    1==1, "ok"
  )
| where ua_flag != "ok"

| stats count
        values(req_ua)     as user_agents
        values(req_appid)  as appids
        values(req_uri)    as endpoints
        values(req_ip)     as src_ips
        values(req_uti)    as token_utis
        earliest(_time)    as first_seen
        latest(_time)      as last_seen
    by req_userid, ua_flag
| convert ctime(first_seen) ctime(last_seen)
| sort - count</pre>
            </div>

            <div class="callout">
              <strong>Enrichment</strong>
              Both Hunts 9 and 10 produce <code>req_userid</code> + <code>appids</code> output columns, so the <a href="#enrichment-pattern" data-route="/investigation/detections">reusable enrichment pattern</a> from the Detections tab applies unchanged. Append it at the end of either query to translate object ids and app GUIDs into routable names. The hunting-vs-alerting distinction means the risk-tier escalation in the pattern's case() block matters less here (you'll review every result anyway) - the user/role/name resolution is the main value-add for hunting workflows.
            </div>

            <div class="callout">
              <strong>Why these are hunts, not alerts</strong>
              Each query above will produce hits in a healthy tenant - new tools get adopted, legitimate admins do rotate secrets, business travel means new geographies. The value is review cadence, not auto-paging. A weekly hunting review with 20-50 candidate entries is normal; if you can't get through that volume, raise the threshold rather than ignore the queue. Anything that fires repeatedly with the same context can graduate into the Detections tab as a high-fidelity rule.
            </div>

            <div class="callout">
              <strong>Field-path tuning</strong>
              Hunts 4, 5, 6, 7 use the Azure Monitor diagnostic-stream layout where audit-log properties are nested under <code>properties.</code> (e.g. <code>properties.targetResources{}.modifiedProperties{}</code>). Hunts 9 and 10 do the same but for the Graph activity log stream and reference the nested fields directly (<code>properties.requestUri</code>, <code>properties.appId</code>, <code>properties.userAgent</code>, etc.) - this matches the <code>mscs:azure:eventhub</code> sourcetype shape verified against a real tenant fieldsummary, where 100% of Graph activity attributes live under <code>properties.*</code>. If your add-on flattens these to top-level fields, replace each <code>'properties.requestUri'</code> with <code>requestUri</code> directly. Hunts 1, 2, 3, 8 use top-level Azure sign-in fields (<code>appId</code>, <code>userPrincipalName</code>, <code>ipAddress</code>) which are stable across both the Splunk Add-on for Microsoft Cloud Services and the older Azure add-ons.
            </div>
          </div>
        </div>

        <!-- ===== Hardening ===== -->
        <div class="invest-section" id="sub-hardening" hidden>
          <div class="doc-block">
            <h2>Hardening - preventing the next attack</h2>
            <p class="doc-lede">The detections and hunts in the preceding tabs find attacks in progress. These controls reduce the attack surface so they happen less often. Roughly ordered by impact-per-effort: do the first three this quarter; the rest are months-of-work, multi-team programmes.</p>

            <h3><span class="num">1</span> Restrict end-user OAuth consent</h3>
            <p>Default Entra setting until 2024 was that any user could consent to any app for any scope. Change this so users can only consent to verified-publisher apps requesting low-risk scopes; everything else routes through admin-consent workflow. Single highest-impact OAuth control.</p>
            <div class="code-block">
              <div class="code-header">PowerShell - Microsoft Graph SDK<button class="copy-snippet" type="button">copy</button></div>
              <pre>Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization"

# Allow users to consent only to apps from verified publishers, low-risk scopes.
# Use the canonical -BodyParameter pattern with camelCase field names.
$params = @{
  defaultUserRolePermissions = @{
    permissionGrantPoliciesAssigned = @(
      "managePermissionGrantsForSelf.microsoft-user-default-low"
    )
  }
}
Update-MgPolicyAuthorizationPolicy -BodyParameter $params

# Or block end-user consent entirely (safest, but creates admin-consent backlog):
# $params = @{
#   defaultUserRolePermissions = @{
#     permissionGrantPoliciesAssigned = @()
#   }
# }
# Update-MgPolicyAuthorizationPolicy -BodyParameter $params

# Enable the admin-consent request workflow so users can ask. Note: this cmdlet
# expects the $reviewerSettings list of users/groups/roles - replace the placeholder.
Update-MgPolicyAdminConsentRequestPolicy `
  -IsEnabled:$true `
  -NotifyReviewers:$true `
  -RemindersEnabled:$true `
  -RequestDurationInDays 30 `
  -Reviewers @(
    @{
      Query     = "/users/&lt;reviewer-upn&gt;"
      QueryType = "MicrosoftGraph"
      QueryRoot = $null
    }
  )</pre>
            </div>

            <h3><span class="num">2</span> Apply app instance property lock to every app you own</h3>
            <p>Enabled by default since March 2024 for new apps, but legacy apps registered before then need backfill. The lock blocks adding credentials to the service principal in any tenant once the app is provisioned, defeating the SP credential backdoor technique used in Solorigate / Midnight Blizzard / "Misowned and Dangerous".</p>
            <div class="code-block">
              <div class="code-header">PowerShell<button class="copy-snippet" type="button">copy</button></div>
              <pre>Connect-MgGraph -Scopes "Application.ReadWrite.All"

# All multi-tenant apps registered before March 2024 with no lock configured
$apps = Get-MgApplication -All |
  Where-Object {
    $_.SignInAudience -ne "AzureADMyOrg" -and
    -not $_.ServicePrincipalLockConfiguration.IsEnabled
  }

# Canonical Microsoft pattern: -BodyParameter with camelCase property names.
# isEnabled + allProperties = true is the maximum-restriction shorthand;
# it implicitly locks credentials and tokenEncryptionKeyId without naming them.
foreach ($app in $apps) {
  Write-Host "Locking $($app.DisplayName)"
  $params = @{
    servicePrincipalLockConfiguration = @{
      isEnabled     = $true
      allProperties = $true
    }
  }
  Update-MgApplication -ApplicationId $app.Id -BodyParameter $params
}

# If you need fine-grained locking (e.g. to allow tokenEncryptionKeyId changes
# but block credential additions), name each property explicitly instead:
#   servicePrincipalLockConfiguration = @{
#     isEnabled                   = $true
#     credentialsWithUsageVerify  = $true
#     credentialsWithUsageSign    = $true
#     tokenEncryptionKeyId        = $false
#   }</pre>
            </div>

            <h3><span class="num">3</span> Block device-code flow in Conditional Access</h3>
            <p>Storm-2372 and the Russian campaigns Volexity tracked all rely on device-code phishing. Unless you have remote IoT devices that authenticate via device-code, block the flow. Note this also affects some legitimate scenarios (some printer auth, some old PowerShell modules) - test in report-only mode first.</p>
            <div class="code-block">
              <div class="code-header">PowerShell<button class="copy-snippet" type="button">copy</button></div>
              <pre>Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"

$params = @{
  DisplayName = "Block device-code flow (with Helpdesk exception)"
  State       = "enabledForReportingButNotEnforced"   # change to "enabled" after pilot
  Conditions  = @{
    ClientAppTypes      = @("all")
    Applications        = @{ IncludeApplications = @("All") }
    Users               = @{
      IncludeUsers      = @("All")
      ExcludeGroups     = @("&lt;helpdesk-break-glass-group-id&gt;")
    }
    AuthenticationFlows = @{
      TransferMethods   = "deviceCodeFlow"
    }
  }
  GrantControls = @{
    Operator          = "OR"
    BuiltInControls   = @("block")
  }
}

New-MgIdentityConditionalAccessPolicy -BodyParameter $params</pre>
            </div>

            <h3><span class="num">4</span> Conditional Access for workload identities (Entra ID P1+)</h3>
            <p>Service principals can be put under CA policies just like users. Common pattern: high-privilege SPs only authenticate from named locations (your build farm, your hosted automation tenant). Stops a stolen client secret from being usable from the open internet. Requires Entra ID Workload Identities Premium.</p>
            <div class="code-block">
              <div class="code-header">PowerShell<button class="copy-snippet" type="button">copy</button></div>
              <pre>$params = @{
  DisplayName = "SPs from corporate egress only"
  State       = "enabled"
  Conditions  = @{
    ClientAppTypes = @("all")
    Applications   = @{ IncludeApplications = @("All") }
    ClientApplications = @{
      IncludeServicePrincipals = @("ServicePrincipalsInMyTenant")
    }
    Locations = @{
      IncludeLocations = @("All")
      ExcludeLocations = @("&lt;named-corporate-egress-id&gt;")
    }
  }
  GrantControls = @{
    Operator        = "OR"
    BuiltInControls = @("block")
  }
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $params</pre>
            </div>

            <h3><span class="num">5</span> Make Continuous Access Evaluation strict</h3>
            <p>CAE is on by default in opportunistic mode: if the client supports it, near-real-time revocation works; if not, it falls back to one-hour tokens. <em>Strict enforcement</em> mode requires CAE-aware clients and rejects access otherwise - close to a hard guarantee that revoking a refresh token actually evicts the attacker. Trade-off: legacy clients that haven't been updated to be CAE-aware will break. Pilot first.</p>
            <p>Configure under <strong>Conditional Access &rarr; Session controls &rarr; Customize continuous access evaluation &rarr; Strictly enforce location policies</strong>.</p>

            <h3><span class="num">6</span> Audit Configurable Token Lifetime policies</h3>
            <p>Microsoft's default access-token TTL is a randomized 60-90 minutes (or 2 hours flat for Teams / M365 in non-CA tenants). Tenants can override this via Configurable Token Lifetime (CTL) policies, with the maximum being <strong>24 hours</strong>. Long-lived tokens improve UX for long-running scripts but directly proportionally widen the post-token-theft exposure window: a 24h CTL means a stolen token issued at 09:00 stays valid until 09:00 the next day, regardless of any password reset, account disablement, or session revocation you trigger in between (per the Remediation note - access tokens cannot be revoked, only CAE narrows this for CAE-aware resources). Audit your tenant's CTL policies and challenge any that exceed two hours:</p>
            <div class="code-block">
              <div class="code-header">PowerShell - inventory CTL policies<button class="copy-snippet" type="button">copy</button></div>
              <pre>``` Connect with Policy.Read.All ```
Connect-MgGraph -Scopes "Policy.Read.All"

``` List every token-lifetime policy in the tenant and parse the AccessTokenLifetime value ```
Get-MgPolicyTokenLifetimePolicy | ForEach-Object {
    $def = $_.Definition[0] | ConvertFrom-Json
    $atl = $def.TokenLifetimePolicy.AccessTokenLifetime
    [PSCustomObject]@{
        DisplayName            = $_.DisplayName
        Id                     = $_.Id
        IsOrganizationDefault  = $_.IsOrganizationDefault
        AccessTokenLifetime    = $atl                                ``` "HH:MM:SS" or "D.HH:MM:SS" ```
        AppliedToServicePrincipals = (Get-MgServicePrincipal -All |
            Where-Object { (Get-MgServicePrincipalTokenLifetimePolicy -ServicePrincipalId $_.Id -ErrorAction SilentlyContinue).Id -contains $_.Id } |
            ForEach-Object DisplayName)
    }
} | Format-Table -AutoSize

``` Anything &gt;= 02:00:00 deserves a documented business reason. ```
``` Anything &gt;= 23:00:00 (the ~24h max) significantly extends post-incident exposure. ```</pre>
            </div>
            <p>Refresh-token and session-token lifetimes have not been CTL-configurable since 30 January 2021 - those are managed exclusively via Conditional Access sign-in frequency, with the default being a 90-day rolling window. Reduce sign-in frequency for high-risk groups (privileged roles, finance, executives) to shorten the refresh-token survival window; pair with CAE strict mode (control 5) so refresh-token revocation actually evicts.</p>

            <h3><span class="num">7</span> Review and remove unowned / unsafe app ownerships</h3>
            <p>The "Misowned and Dangerous" attack is impossible if no standard user owns an SP that has a privileged role. Hunt for the combination, then either remove the user's ownership or remove the privileged role from the SP.</p>
            <div class="code-block">
              <div class="code-header">PowerShell<button class="copy-snippet" type="button">copy</button></div>
              <pre>Connect-MgGraph -Scopes "Application.Read.All","Directory.Read.All",
                       "RoleManagement.Read.Directory"

$privilegedRoleIds = (Get-MgDirectoryRole | Where-Object {
  $_.DisplayName -in @(
    "Global Administrator","Privileged Role Administrator",
    "Application Administrator","Cloud Application Administrator",
    "Privileged Authentication Administrator","User Administrator",
    "Exchange Administrator","SharePoint Administrator")
}).Id

$findings = @()
foreach ($sp in Get-MgServicePrincipal -All) {
  $assignments = Get-MgRoleManagementDirectoryRoleAssignment `
    -Filter "principalId eq '$($sp.Id)'"
  if (-not $assignments) { continue }

  $privAssignments = $assignments | Where-Object {
    $_.RoleDefinitionId -in $privilegedRoleIds
  }
  if (-not $privAssignments) { continue }

  $owners = Get-MgServicePrincipalOwner -ServicePrincipalId $sp.Id
  foreach ($o in $owners) {
    $findings += [pscustomobject]@{
      ServicePrincipal = $sp.DisplayName
      AppId            = $sp.AppId
      Roles            = ($privAssignments.RoleDefinitionId -join ", ")
      OwnerUpn         = $o.AdditionalProperties.userPrincipalName
      OwnerId          = $o.Id
    }
  }
}
$findings | Sort-Object ServicePrincipal | Format-Table -AutoSize</pre>
            </div>

            <h3><span class="num">8</span> Enable Microsoft Graph activity logs</h3>
            <p>Off by default. Without them you can prove the malicious app got a token but not what it did with it. Stream <code>MicrosoftGraphActivityLogs</code> via Azure Monitor diagnostic settings to whatever destination feeds your Splunk index (typically Event Hub for the Splunk Add-on for Microsoft Cloud Services, or a Storage Account for the older HTTP Event Collector flow); budget for ~10-20% extra volume on a busy tenant.</p>
            <div class="code-block">
              <div class="code-header">PowerShell<button class="copy-snippet" type="button">copy</button></div>
              <pre># Enable diagnostic setting at tenant scope. The category names below are
# Azure Monitor diagnostic categories (not Splunk sourcetypes); they stay the
# same regardless of which destination you ship them to.
$diag = @{
  name             = "GraphActivityToSplunk"
  eventHubAuthRule = "/subscriptions/&lt;sub&gt;/resourceGroups/&lt;rg&gt;/providers/" +
                     "Microsoft.EventHub/namespaces/&lt;ns&gt;/authorizationRules/RootManageSharedAccessKey"
  eventHubName     = "azure-diagnostics"
  logs             = @(
    @{ category = "MicrosoftGraphActivityLogs";   enabled = $true }
    @{ category = "AuditLogs";                    enabled = $true }
    @{ category = "SignInLogs";                   enabled = $true }
    @{ category = "NonInteractiveUserSignInLogs"; enabled = $true }
    @{ category = "ServicePrincipalSignInLogs";   enabled = $true }
  )
}
# Apply via the Entra portal: Identity &gt; Monitoring &amp; health &gt; Diagnostic settings &gt;
# Add diagnostic setting &gt; select all categories &gt; route to your Event Hub /
# Storage Account, then point the Splunk Add-on for Microsoft Cloud Services at it.</pre>
            </div>

            <h3><span class="num">9</span> Audit Intune / DeviceManagementConfiguration permissions</h3>
            <p>Mandiant's 2024 research showed that an SP holding <code>DeviceManagementConfiguration.ReadWrite.All</code> can push scripts to Intune-managed Privileged Access Workstations and execute arbitrary code as SYSTEM. Treat this scope, plus <code>RoleManagement.ReadWrite.Directory</code>, <code>AppRoleAssignment.ReadWrite.All</code>, and <code>Application.ReadWrite.All</code>, as Tier-0 - inventory every SP with them.</p>
            <div class="code-block">
              <div class="code-header">PowerShell<button class="copy-snippet" type="button">copy</button></div>
              <pre>$tier0Scopes = @(
  "DeviceManagementConfiguration.ReadWrite.All",
  "RoleManagement.ReadWrite.Directory",
  "AppRoleAssignment.ReadWrite.All",
  "Application.ReadWrite.All",
  "Directory.ReadWrite.All",
  "Mail.ReadWrite", "Files.ReadWrite.All"
)
$graphSp = Get-MgServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"

$tier0AppRoleIds = $graphSp.AppRoles |
  Where-Object { $_.Value -in $tier0Scopes } |
  Select-Object Id, Value

Get-MgServicePrincipal -All | ForEach-Object {
  $sp = $_
  $assignments = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $sp.Id |
    Where-Object { $_.AppRoleId -in $tier0AppRoleIds.Id }
  foreach ($a in $assignments) {
    [pscustomobject]@{
      Sp        = $sp.DisplayName
      AppId     = $sp.AppId
      Scope     = ($tier0AppRoleIds | Where-Object { $_.Id -eq $a.AppRoleId }).Value
      Resource  = $a.ResourceDisplayName
    }
  }
} | Format-Table -AutoSize</pre>
            </div>

            <h3><span class="num">10</span> Cross-tenant access settings - default to deny</h3>
            <p>Cross-tenant access settings define which other tenants can access yours. The default is permissive (any tenant). Lock this down: explicit allow-list of partner tenants, with B2B collaboration restricted to specific groups.</p>
            <p>Configure under <strong>Entra admin center &rarr; External Identities &rarr; Cross-tenant access settings &rarr; Default settings</strong>. Set inbound and outbound to <em>Block access</em>, then add explicit organisation entries for each legitimate partner.</p>

            <h3><span class="num">11</span> Quarterly OAuth review checklist</h3>
            <p>Cadence ritual. Block 90 minutes per quarter for the IAM team:</p>
            <ul class="checklist">
              <li><strong>Pull all Tier-0 SPs</strong> via the script in step 8 - do all of them still need that scope?</li>
              <li><strong>Owner audit</strong> via step 6 - any new owners in the last 90 days?</li>
              <li><strong>Stale credentials</strong> - any SP with a client secret older than your rotation policy? Any SP with credentials it has not used in &gt;90 days?</li>
              <li><strong>Verified publisher gap</strong> - which non-verified-publisher apps have any user consents? Move them to admin-consent.</li>
              <li><strong>Cross-tenant settings</strong> - new partner tenants added since last review? Decommissioned but still trusted?</li>
              <li><strong>OAuthSentry feed</strong> - is the daily ingestion working? When was the last malicious-feed update detected by your SIEM?</li>
            </ul>

            <h3><span class="num">12</span> Continuous validation with Maester</h3>
            <p>The quarterly checklist above is human-paced and forgets things. <a href="https://maester.dev/">Maester</a> (Merill Fernando, Fabian Bader, Thomas Naunheim, Mike Soule and contributors) is an open-source PowerShell + Pester test framework that turns each Entra security control into a daily-runnable test - currently used by 128,000+ tenants. The relevant tests for the controls in this tab ship out of the box; pin them to a CI pipeline and you get a fail-the-build signal the moment one regresses.</p>
            <table class="kv-table">
              <thead><tr><th>OAuthSentry control</th><th>Maester test that validates it</th></tr></thead>
              <tbody>
                <tr><td>1. Restrict user consent (this tab)</td><td class="mono">Test-MtCisaAppUserConsent, EIDSCA.AP08, EIDSCA.AP09, EIDSCA.CP03, EIDSCA.CP04</td></tr>
                <tr><td>1. Admin-consent workflow enabled</td><td class="mono">EIDSCA.CR01, EIDSCA.CR02, EIDSCA.CR03, EIDSCA.CR04</td></tr>
                <tr><td>2. App instance property lock</td><td class="mono">Test-MtServicePrincipalsForAllUsers (third-party SPs open to all users)</td></tr>
                <tr><td>4. Workload identity Conditional Access</td><td class="mono">Test-MtSpExchangeAppAccessPolicy (SPs with Exchange permissions have ApplicationAccessPolicy)</td></tr>
                <tr><td>6. Application ownership audit</td><td class="mono">Test-MtXspmAppRegWithPrivilegedApiAndOwners</td></tr>
                <tr><td>3, 5. CA hygiene (block device-code, CAE strict)</td><td class="mono">Test-MtCisaBlockHighRiskSignIn, Test-MtCisaBlockHighRiskUser, plus the full <code>-Tag CA</code> suite</td></tr>
              </tbody>
            </table>
            <div class="code-block">
              <div class="code-header">PowerShell - Maester one-time setup<button class="copy-snippet" type="button">copy</button></div>
              <pre>Install-Module Maester -Scope CurrentUser
md ~/maester-tests; cd ~/maester-tests
Install-MaesterTests       # pulls EIDSCA + CISA + Maester tests

Connect-Maester            # interactive sign-in, requests read-only Graph scopes
Invoke-Maester             # runs everything, writes ./test-results/TestResults.html
Invoke-Maester -Tag App    # OAuth/app-related tests only

# Production: wire it into GitHub Actions or Azure DevOps with workload identity
# federation (no secrets) per https://maester.dev/docs/monitoring/ - daily run,
# email/Teams notification on regression.</pre>
            </div>
            <p>For Conditional Access specifically, Jasper Baes' <a href="https://github.com/jasperbaes/Conditional-Access-Validator">Conditional Access Validator</a> generates Maester tests automatically from your existing CA policies - useful when you've inherited a tenant and want a baseline of what's currently enforced before changing anything.</p>
          </div>
        </div>

        <!-- ===== Google Workspace ===== -->
        <div class="invest-section" id="sub-google" hidden>
          <div class="doc-block">
            <h2>OAuth abuse against Google Workspace <span style="font-family: var(--font-display); font-size: 0.55em; vertical-align: 0.4em; padding: 3px 8px; background: var(--accent); color: var(--bg); border-radius: 3px; letter-spacing: 0.04em; text-transform: uppercase; font-weight: 700;">beta</span></h2>
            <div style="border-left: 3px solid var(--accent); padding: 12px 16px; margin: 0 0 24px; background: rgba(255,255,255,0.02); font-size: 14px; color: var(--text-dim);">
              <strong style="color: var(--text);">Beta - field paths, command syntax and Admin Console paths in this section are based on Google's published documentation but have not been independently re-tested in a live tenant for this release.</strong> Verify the specifics (sourcetypes, exact GAM flag names, current Admin Console menu wording) in your environment before relying on them. Corrections welcome at <a href="https://github.com/oauthsentry/oauthsentry.github.io/issues">github.com/oauthsentry/oauthsentry.github.io/issues</a>.
            </div>
            <p class="doc-lede">Google Workspace's OAuth threat surface is smaller than Entra's but the same class of attack works: a user grants a third-party app access to Gmail, Drive or Contacts, and the attacker exfiltrates from cloud-to-cloud without ever touching the endpoint. The two in-the-wild cases that drive OAuthSentry's malicious feed today (Salesloft Drift / UNC6395 in August 2025, and Context.ai / Vercel in April 2026) both followed this pattern. This subtab covers the audit trail, detection queries and revocation tooling specific to Google.</p>

            <h3><span class="num">1</span> Tradecraft and known-bad apps</h3>
            <p>The attack pattern Google Workspace defenders should expect:</p>
            <ul>
              <li><strong>Vendor compromise pivot.</strong> Attacker steals OAuth tokens from a SaaS integration vendor (Salesloft Drift, Context.ai, marketing automation tools) and uses those tokens to read Gmail / Drive / Contacts at scale across every customer that consented to the integration. Detection has to start at the token activity level - the user did consent legitimately, just to a now-compromised vendor.</li>
              <li><strong>Mass-mailer phishing apps.</strong> Lookalike apps mimicking Google products that request <code>https://www.googleapis.com/auth/contacts</code> + <code>https://www.googleapis.com/auth/gmail.send</code>. Once consented, the app reads contacts, sends the same consent prompt to every contact, and propagates virally. The <a href="https://www.theverge.com/2017/5/3/15534768/google-docs-phishing-attack-share-this-document-with-you-spam">May 2017 "Google Docs" worm</a> is the canonical example - the attack still works because the consent prompt is generic.</li>
              <li><strong>Broad-mailbox-access scope.</strong> The legacy <code>https://mail.google.com/</code> scope grants the holder full Gmail access (read, send, modify, delete) and is the scope used by IMAP/SMTP/POP clients. Apps requesting this scope are almost always either legitimate desktop mail clients (Outlook, Thunderbird, eM Client, Apple Mail) or attacker tools mimicking them. The detection clue is the combination of <code>client_type</code> and the scope set: a <code>WEB</code> client requesting <code>mail.google.com</code> is rare and worth investigating.</li>
            </ul>

            <p>The two app IDs OAuthSentry currently classifies as malicious for Google Workspace (curated by <a href="https://github.com/mthcht/awesome-lists/blob/main/Lists/OAuth/google_oauth_apps.csv">mthcht/awesome-lists</a>):</p>
            <table class="kv-table">
              <thead><tr><th>App</th><th>Client ID</th><th>Why</th></tr></thead>
              <tbody>
                <tr>
                  <td>Context.ai / AI Office Suite</td>
                  <td class="mono">110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com</td>
                  <td>OAuth client behind Context.ai's deprecated AI Office Suite (consumer product). Compromised in March 2026; <a href="https://vercel.com/kb/bulletin/vercel-april-2026-security-incident">Vercel disclosed on April 19, 2026</a> that an attacker used a stolen Context.ai OAuth token to pivot into a Vercel employee's Google Workspace account and from there into Vercel's environment. <a href="https://www.wiz.io/blog/contextai-oauth-token-compromise">Wiz</a> and <a href="https://context.ai/security-update">Context.ai's own statement</a> confirmed the OAuth token leak. Vercel published this client ID as the canonical IOC.</td>
                </tr>
                <tr>
                  <td>Salesloft Drift Email</td>
                  <td class="mono">1084253493764-ipb2ntp4jb4rmqc76jp7habdrhfdus3q.apps.googleusercontent.com</td>
                  <td>Salesloft Drift's Google Workspace OAuth integration. UNC6395 (tracked by <a href="https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift">Google Threat Intelligence Group</a>) used compromised Drift OAuth tokens to access Gmail data on August 9, 2025; the broader Salesforce campaign ran August 8-18. <strong>Google revoked all Drift Email OAuth tokens on August 29, 2025</strong>, so the active-threat window is closed - hunt your historical token / login audit logs for any pre-revocation activity tied to this client ID to assess past exposure. <a href="https://astrix.security/learn/blog/critical-update-astrix-research-team-discovers-unc6395-oauth-compromise-spanning-salesforce-google-workspace-and-aws/">Astrix</a> and <a href="https://www.widefield.ai/blog/more-salesloft-drift-compromise-expanding-to-more-apps-than-salesforce">WideField</a> independently published this client ID as an IOC.</td>
                </tr>
              </tbody>
            </table>

            <h3><span class="num">2</span> Audit trail - the Admin SDK Reports API</h3>
            <p>Every OAuth grant, revocation and token-driven API call against a Google Workspace tenant is recorded in the <a href="https://developers.google.com/admin-sdk/reports/v1/reference/activities">Admin SDK Reports API</a>. The events live under different <code>applicationName</code> values - the OAuth ones defenders care about are:</p>
            <table class="kv-table">
              <thead><tr><th>applicationName</th><th>What it records</th></tr></thead>
              <tbody>
                <tr><td class="mono">token</td><td>OAuth grants, revocations, token requests and per-call activity. The single highest-value source for OAuth hunting. Four event names, all with <code>type=auth</code>: <code>authorize</code>, <code>revoke</code>, <code>request</code>, <code>activity</code>.</td></tr>
                <tr><td class="mono">login</td><td>User sign-ins, including SSO via OAuth federation. Useful for correlating consent-prompt acceptance with the source IP and device.</td></tr>
                <tr><td class="mono">admin</td><td>Admin Console actions. Pivot here to see if an admin granted domain-wide delegation, changed an OAuth app trust setting, or whitelisted a client ID.</td></tr>
              </tbody>
            </table>

            <p>The shape of an <code>authorize</code> event in the <code>token</code> application:</p>
            <div class="code-block">
              <div class="code-header">Reports API authorize event (anonymized)<button class="copy-snippet" type="button">copy</button></div>
              <pre>{
  "kind":   "audit#activity",
  "id":     { "time": "2026-04-27T07:20:47.123Z", "uniqueQualifier": "...",
              "applicationName": "token", "customerId": "C0&lt;tenant&gt;" },
  "actor":  { "email": "user@yourdomain.com", "profileId": "&lt;profile-id&gt;",
              "callerType": "USER" },
  "ipAddress": "203.0.113.42",
  "events": [
    {
      "type": "auth",
      "name": "authorize",
      "parameters": [
        { "name": "client_id",   "value": "1084253493764-ipb2ntp4jb4rmqc76jp7habdrhfdus3q.apps.googleusercontent.com" },
        { "name": "app_name",    "value": "Drift Email" },
        { "name": "client_type", "value": "WEB" },
        { "name": "scope",       "multiValue": [
            "https://www.googleapis.com/auth/gmail.readonly",
            "https://www.googleapis.com/auth/userinfo.email",
            "openid"
          ] },
        { "name": "scope_data",  "multiMessageValue": [...] }
      ]
    }
  ]
}</pre>
            </div>

            <p>The four fields defenders pivot on, with paths confirmed against the shape above:</p>
            <ul>
              <li><strong>OAuth client ID</strong> (the equivalent of Entra's AppId) - <code>events[].parameters[]</code> where <code>name=="client_id"</code>. Lower-case it and match against OAuthSentry's <code>feeds/google/google_malicious.txt</code>. Google client IDs are not GUIDs - they end in <code>.apps.googleusercontent.com</code> and the leading numeric segment is the project number.</li>
              <li><strong>Granted scopes</strong> - <code>events[].parameters[]</code> where <code>name=="scope"</code>, <code>multiValue</code> field is the array. <code>https://mail.google.com/</code>, <code>https://www.googleapis.com/auth/gmail.send</code>, <code>https://www.googleapis.com/auth/drive</code> and <code>https://www.googleapis.com/auth/contacts</code> are the four high-impact reads/writes; the <code>.readonly</code> variants matter for exfil hunts.</li>
              <li><strong>Consenting user</strong> - top-level <code>actor.email</code> + <code>actor.profileId</code>. Pair with the <code>login</code> application events on the same <code>profileId</code> to recover the IP, device and 2SV factor used at consent time.</li>
              <li><strong>Client type</strong> - <code>events[].parameters[]</code> where <code>name=="client_type"</code>. Per Google's reference, possible values are <code>WEB</code> (browser-based OAuth flow with a consent prompt), <code>NATIVE_DESKTOP</code> (installed desktop client like Outlook, Thunderbird, eM Client), <code>NATIVE_ANDROID</code>, <code>NATIVE_IOS</code>, <code>NATIVE_CHROME_EXTENSION</code>, <code>NATIVE_APPLICATION</code>, <code>CONNECTED_DEVICE</code>, and a handful of platform-specific values plus <code>TYPE_UNSPECIFIED</code>. The full enum is in the <a href="https://developers.google.com/admin-sdk/reports/v1/appendix/activity/token">OAuth Token Audit Activity Events reference</a>. Domain-wide delegation impersonation does not appear here as a <code>client_type</code> value - it shows up separately in the Admin Console under API controls.</li>
            </ul>

            <h3><span class="num">3</span> Detection queries</h3>
            <p>Google Workspace audit data can be queried three ways: directly against the Reports API, via <a href="https://github.com/GAM-team/GAM">GAM</a> (the open-source admin tool), or against your SIEM if you forward Workspace logs there (most do via <a href="https://cloud.google.com/architecture/exporting-stackdriver-logging-for-splunk">Pub/Sub - Splunk</a> or the native Workspace Splunk add-on). Examples for each:</p>

            <p><strong>Detection 1: any consent grant for a known-malicious app, via Reports API directly.</strong> A read-only GCP service account with the <code>https://www.googleapis.com/auth/admin.reports.audit.readonly</code> scope can poll this on a 5-minute cadence:</p>
            <div class="code-block">
              <div class="code-header">curl - Reports API token authorize hunt<button class="copy-snippet" type="button">copy</button></div>
              <pre>``` Get the last hour of authorize events across the tenant ```
ACCESS_TOKEN=$(gcloud auth application-default print-access-token)
START=$(date -u -d '1 hour ago' +%Y-%m-%dT%H:%M:%S.000Z)

curl -s -H "Authorization: Bearer $ACCESS_TOKEN" \
  "https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/token?eventName=authorize&startTime=$START" \
| jq -r '
    .items[]
    | . as $item
    | .events[]
    | select(.name == "authorize")
    | [
        $item.id.time,
        $item.actor.email,
        $item.ipAddress,
        ((.parameters[] | select(.name == "client_id") | .value)         // ""),
        ((.parameters[] | select(.name == "app_name")  | .value)         // ""),
        ((.parameters[] | select(.name == "scope")     | .multiValue | join(";")) // "")
      ]
    | @csv
  ' \
| awk -F',' 'BEGIN { while((getline l &lt; "/path/to/feeds/google/google_malicious.txt") > 0) bad[tolower(l)]=1 }
             { id=tolower($4); gsub(/"/, "", id); if (bad[id]) print "MALICIOUS:", $0 }'</pre>
            </div>

            <p><strong>Detection 2: any consent for a high-impact scope, via GAM.</strong> <a href="https://github.com/GAM-team/GAM">GAM</a> wraps the Reports API and is faster to iterate than raw curl. The exact GAM <code>report token</code> flag syntax for time ranges and event filters varies between GAM 6 / GAM 7 / GAMADV-XTD3 - <strong>consult the <a href="https://github.com/GAM-team/GAM/wiki/Reports">Reports wiki</a> for your installed version</strong>. The two reliably-portable token commands across versions are showing and revoking tokens directly:</p>
            <div class="code-block">
              <div class="code-header">GAM - inventory and revoke tokens<button class="copy-snippet" type="button">copy</button></div>
              <pre>``` Per-user view of currently-granted tokens (run before mass revocation) ```
gam user user@yourdomain.com show tokens

``` Tenant-wide token inventory: every client_id every user has authorized ```
gam all users print tokens

``` Filter the inventory to a single client (e.g. an OAuthSentry malicious entry) ```
gam all users print tokens clientid 1084253493764-ipb2ntp4jb4rmqc76jp7habdrhfdus3q.apps.googleusercontent.com</pre>
            </div>
            <p>For ad-hoc OAuth-token report queries against the Admin SDK, the curl approach in Detection 1 is the most stable across environments since it speaks directly to the documented API.</p>

            <p><strong>Detection 3: SIEM-side, if you ingest Workspace logs.</strong> Most Workspace customers forward Reports API events into a SIEM via Pub/Sub or a vendor add-on. Field names in the SIEM mirror the Reports API JSON, so the pattern is identical to Detection 1; the example below uses Splunk syntax with the Workspace add-on's typical field naming - <strong>verify the sourcetype and exact field paths in your environment before deploying</strong>, since add-on conventions differ:</p>
            <div class="code-block">
              <div class="code-header">SPL - Workspace token authorize against malicious feed<button class="copy-snippet" type="button">copy</button></div>
              <pre>index=gws sourcetype=gws:reports:token name=authorize
| eval client_id   = lower(mvindex(parameters_value, mvfind(parameters_name, "client_id")))
| eval app_name    = mvindex(parameters_value, mvfind(parameters_name, "app_name"))
| eval client_type = mvindex(parameters_value, mvfind(parameters_name, "client_type"))
| eval scopes      = mvjoin(json_extract(parameters, "$..multiValue[*]"), ", ")

| lookup oauthsentry_google_malicious appid as client_id
    OUTPUT category as oas_category, severity as oas_severity, comment as oas_comment
| where oas_category = "malicious"

| stats count
        earliest(_time) as first_seen
        latest(_time)   as last_seen
        values(actor_email) as users
        values(ipAddress)   as src_ips
        values(scopes)      as scopes
    by client_id, app_name, client_type, oas_severity, oas_comment

| convert ctime(first_seen) ctime(last_seen)</pre>
            </div>

            <h3><span class="num">4</span> Remediation - revoking OAuth tokens</h3>
            <p>Google's revocation model is per-(user, client_id). There is no tenant-wide "block this app" toggle that retroactively kills existing tokens; you must enumerate and revoke. The two paths:</p>

            <p><strong>Mass revocation via GAM</strong> (the right tool when an app is on OAuthSentry's malicious list and you need to evict it from every user in the domain in one shot):</p>
            <div class="code-block">
              <div class="code-header">GAM - mass token revocation<button class="copy-snippet" type="button">copy</button></div>
              <pre>``` Single user, single client - the targeted revocation ```
gam user victim@yourdomain.com delete token clientid \
  1084253493764-ipb2ntp4jb4rmqc76jp7habdrhfdus3q.apps.googleusercontent.com

``` Tenant-wide: revoke this client across every user ```
gam all users delete token clientid \
  1084253493764-ipb2ntp4jb4rmqc76jp7habdrhfdus3q.apps.googleusercontent.com

``` Audit trail: confirm the revocations landed by re-listing tokens for the client ```
``` (a successful mass-revoke means this returns no rows for any user) ```
gam all users print tokens clientid 1084253493764-ipb2ntp4jb4rmqc76jp7habdrhfdus3q.apps.googleusercontent.com</pre>
            </div>

            <p><strong>Admin Console path</strong> (one-off use; for muscle-memory or when you don't have GAM deployed):</p>
            <ol>
              <li>Admin Console &rarr; <strong>Security</strong> &rarr; <strong>Access and data control</strong> &rarr; <strong>API controls</strong>.</li>
              <li><strong>Manage Third-Party App Access</strong>: search for the client ID, set Access to <strong>Blocked</strong>. This prevents future grants but does not revoke existing tokens - GAM still required for that.</li>
              <li><strong>Domain-wide delegation</strong>: if the malicious client appears here, remove the entry. DWD entries grant the app the ability to impersonate any user without per-user consent; presence here is critical-severity.</li>
              <li>Reports &rarr; Audit and investigation &rarr; <strong>Token log events</strong> (the OAuth audit view; menu name has changed across Workspace editions, look for "Token" or "OAuth"): confirm the <code>revoke</code> events appeared for every user that previously had a token.</li>
            </ol>

            <h3><span class="num">5</span> Hardening - the controls that prevent the next consent attack</h3>
            <ul>
              <li><strong>Block unverified apps tenant-wide.</strong> Admin Console &rarr; Security &rarr; Access and data control &rarr; API controls &rarr; <strong>App access control</strong>. Set the default access for unconfigured third-party apps to blocked (the exact toggle label varies between Workspace editions and has been renamed by Google over time - the <a href="https://redcanary.com/blog/threat-detection/google-workspace-oauth-attack/">Red Canary OAuth-attack writeup</a> walks through the current panel layout). With the default blocked, a user can only consent to apps that an admin has explicitly trusted.</li>
              <li><strong>Restrict access to the four high-impact services.</strong> Same screen, set <strong>Gmail</strong>, <strong>Drive and Docs</strong>, <strong>Contacts</strong> and <strong>Calendar</strong> to <em>"Restricted"</em> rather than <em>"Unrestricted"</em>. Restricted means only Trusted apps can request scopes for that service; everything else is blocked even if the user clicks accept.</li>
              <li><strong>Audit domain-wide delegation quarterly.</strong> Admin Console &rarr; Security &rarr; API controls &rarr; <strong>Domain-wide delegation</strong>. Every entry is an unconditional impersonation grant. The list should be short, named, and every entry should map to a documented service. Unknown client IDs here are an incident.</li>
              <li><strong>Forward Workspace audit logs out of Google.</strong> Workspace audit log retention varies by data type and edition (the OAuth Token Reports API is documented to expose 180 days; in-console audit log views may surface different windows). Forward the events out via Pub/Sub or a vendor add-on into a SIEM with longer retention so consent events from a year ago are still queryable when an attack surfaces. Confirm your edition's actual retention in the Admin Help center before relying on it.</li>
              <li><strong>Subscribe to OAuthSentry's <code>feeds/google/google_malicious.txt</code></strong> and run the Detection 1 curl on a 15-minute cadence. The list is small today (two entries) but every new compromise lands here within a day of public disclosure.</li>
            </ul>
          </div>
        </div>

        <!-- ===== GitHub ===== -->
        <div class="invest-section" id="sub-github" hidden>
          <div class="doc-block">
            <h2>OAuth abuse against GitHub <span style="font-family: var(--font-display); font-size: 0.55em; vertical-align: 0.4em; padding: 3px 8px; background: var(--accent); color: var(--bg); border-radius: 3px; letter-spacing: 0.04em; text-transform: uppercase; font-weight: 700;">beta</span></h2>
            <div style="border-left: 3px solid var(--accent); padding: 12px 16px; margin: 0 0 24px; background: rgba(255,255,255,0.02); font-size: 14px; color: var(--text-dim);">
              <strong style="color: var(--text);">Beta - audit log event names, REST API paths and GitHub UI menu paths in this section are based on GitHub's published documentation.</strong> Field availability differs between GitHub Enterprise Cloud and GitHub Enterprise Server, and the audit log schema has changed across recent API versions. Verify against your GitHub edition before relying on the specifics. Corrections welcome at <a href="https://github.com/oauthsentry/oauthsentry.github.io/issues">github.com/oauthsentry/oauthsentry.github.io/issues</a>.
            </div>
            <p class="doc-lede">GitHub's OAuth threat surface is structurally different from Entra and Google: instead of a tenant-hosted SP that survives revocation events, GitHub OAuth Apps are owned and operated by their publisher (Heroku, Travis CI, etc.), and a single compromise of the publisher exposes every customer org that authorized that app. The April 2022 Heroku/Travis CI incident, which drives OAuthSentry's seed list for this service today, is the canonical example.</p>

            <h3><span class="num">1</span> Tradecraft and known-bad apps</h3>
            <p>Three patterns GitHub defenders should expect. The first one is the high-impact threat:</p>
            <ul>
              <li><strong>Publisher compromise of a popular OAuth integrator.</strong> Attacker breaches a SaaS vendor that holds OAuth user tokens for many GitHub orgs (CI/CD platform, deployment tool, code-review service, security scanner) and then enumerates and clones every private repo those tokens grant access to. The user did consent legitimately - the threat actor inherits trust from a now-compromised vendor. Detection has to start at the audit log level, looking at <em>which apps</em> have ever been authorized in your org.</li>
              <li><strong>Stolen Personal Access Tokens (PATs).</strong> Not strictly OAuth, but adjacent: a developer commits a PAT, leaks it through an env-var dump, or has it stolen via stealer malware. The token is then used to read private repos or push malicious commits. Hunt with <code>action:personal_access_token</code> events and the <code>hashed_token</code> field in audit log entries.</li>
              <li><strong>Malicious GitHub App installation.</strong> An attacker convinces an org owner to install a GitHub App they control. Different threat model from OAuth Apps - GitHub Apps act as themselves with installation tokens, not as the consenting user, and have fine-grained permissions. The audit signal is <code>integration_installation.create</code> for an unknown app slug.</li>
            </ul>

            <p>The four GitHub OAuth App names OAuthSentry currently classifies as malicious-historical (curated from <a href="https://github.blog/news-insights/company-news/security-alert-stolen-oauth-user-tokens/">GitHub's April 2022 disclosure</a>):</p>
            <table class="kv-table">
              <thead><tr><th>App name (matchable in audit logs)</th><th>Numeric OAuth App ID(s)</th><th>Status</th></tr></thead>
              <tbody>
                <tr><td class="mono">Heroku Dashboard</td><td class="mono">145909, 628778</td><td rowspan="3">Tokens stolen and abused April 2022. Heroku/GitHub revoked all tokens April 13-16 2022 and Heroku stopped issuing new tokens from the Heroku Dashboard integration. Active threat window is closed; remains valuable as a historical IOC for hunting pre-revocation activity in retained audit logs.</td></tr>
                <tr><td class="mono">Heroku Dashboard - Preview</td><td class="mono">313468</td></tr>
                <tr><td class="mono">Heroku Dashboard - Classic</td><td class="mono">363831</td></tr>
                <tr><td class="mono">Travis CI</td><td class="mono">9216</td><td>Tokens stolen via the Heroku-side compromise; Travis CI revoked all authorization keys and tokens April 15 2022. Same hunting guidance as Heroku Dashboard variants.</td></tr>
              </tbody>
            </table>
            <div style="border-left: 3px solid var(--accent); padding: 12px 16px; margin: 16px 0; background: rgba(255,255,255,0.02); font-size: 14px; color: var(--text-dim);">
              <strong style="color: var(--text);">Why the matchable IOC is the name, not the number.</strong> Unlike Entra (which surfaces an AppId GUID on every consent event) or Google (which surfaces a <code>client_id</code> string on every <code>authorize</code> event), GitHub's audit log emits <code>oauth_application_name</code> on the <code>oauth_authorization.*</code> and <code>oauth_access.*</code> action families - <strong>and does not include the numeric OAuth App ID on those events</strong>. The numeric IDs above are the canonical identifiers from GitHub's UI (Settings &rarr; Developer settings &rarr; OAuth Apps), which GitHub itself published as IOCs in their disclosure. They are useful for absolute identification but for audit-log hunting, you match on the name. OAuthSentry's <code>feeds/github/github_malicious.txt</code> ships the names for that reason.
            </div>

            <h3><span class="num">2</span> Audit trail - the GitHub audit log REST API</h3>
            <p>OAuth App authorizations, revocations and token generation events live in the <a href="https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization">org audit log</a> (or enterprise audit log, for Enterprise Cloud customers). Two REST API endpoints expose them:</p>
            <table class="kv-table">
              <thead><tr><th>Scope</th><th>Endpoint</th></tr></thead>
              <tbody>
                <tr><td>Single org</td><td class="mono">https://api.github.com/orgs/{org}/audit-log</td></tr>
                <tr><td>Enterprise (all orgs)</td><td class="mono">https://api.github.com/enterprises/{enterprise}/audit-log</td></tr>
              </tbody>
            </table>

            <p>Required PAT or OAuth-app scope is <code>read:audit_log</code> (introduced December 2022 - prior to that, full <code>admin:org</code> was needed). The audit log retains most events for up to 180 days; Git events are retained for 7 days only, and the in-UI view defaults to the past 3 months.</p>

            <p>The OAuth-relevant action names defenders should hunt on:</p>
            <table class="kv-table">
              <thead><tr><th>Action</th><th>What it records</th><th>Key fields</th></tr></thead>
              <tbody>
                <tr><td class="mono">oauth_authorization.create</td><td>A user authorized a third-party OAuth App against their account/org.</td><td><code>actor</code>, <code>oauth_application_name</code>, <code>created_at</code></td></tr>
                <tr><td class="mono">oauth_authorization.update</td><td>An existing authorization was modified (typically scope expansion).</td><td><code>actor</code>, <code>oauth_application_name</code></td></tr>
                <tr><td class="mono">oauth_authorization.destroy</td><td>An authorization was revoked.</td><td><code>actor</code>, <code>oauth_application_name</code>, <code>explanation</code></td></tr>
                <tr><td class="mono">oauth_access.generate</td><td>A new OAuth access token was issued under an existing authorization.</td><td><code>actor</code>, <code>oauth_application_name</code>, <code>token_id</code>, <code>token_scopes</code>, <code>hashed_token</code></td></tr>
                <tr><td class="mono">oauth_access.regenerate</td><td>An existing OAuth access token was rotated (the authorization stays, the token is reissued).</td><td><code>actor</code>, <code>oauth_application_name</code>, <code>token_id</code>, <code>token_scopes</code>, <code>hashed_token</code>, <code>actor_ip</code></td></tr>
                <tr><td class="mono">integration_installation.create</td><td>A GitHub App (not OAuth App) was installed in the org.</td><td><code>actor</code>, integration name</td></tr>
                <tr><td class="mono">personal_access_token.access_granted</td><td>A fine-grained PAT was granted access to org resources.</td><td><code>actor</code>, <code>token_id</code>, <code>token_scopes</code></td></tr>
              </tbody>
            </table>

            <p>An anonymized reference event - what one of these actions actually looks like in a Cloud enterprise's audit log:</p>
            <div class="code-block">
              <div class="code-header">Audit log event (anonymized) - oauth_access.regenerate<button class="copy-snippet" type="button">copy</button></div>
              <pre>{
  "@timestamp":   1777298667221,
  "_document_id": "&lt;document-id&gt;",
  "action":       "oauth_access.regenerate",
  "actor_ip":     "&lt;source-ip&gt;",
  "actor_location": { "country_code": "&lt;cc&gt;" },
  "business":     "&lt;enterprise-slug&gt;",
  "business_id":  &lt;enterprise-id&gt;,
  "created_at":   1777298667221,
  "hashed_token": "&lt;sha256-of-token&gt;",
  "oauth_application_name": "&lt;internal-app-name&gt;",
  "operation_type":          "modify",
  "request_access_security_header": null,
  "request_id":              "&lt;request-id&gt;",
  "token_id":                &lt;token-id&gt;,
  "token_scopes":            "read:org,user:email",
  "user":                    "&lt;username&gt;",
  "user_agent":              "Go-http-client/2.0",
  "user_id":                 &lt;user-id&gt;
}</pre>
            </div>
            <p>The four fields defenders pivot on, with paths confirmed against the shape above:</p>
            <ul>
              <li><strong>OAuth App identifier</strong> &rarr; <code>oauth_application_name</code> at the top level. <strong>Lower-case and match against OAuthSentry's <code>feeds/github/github_malicious.txt</code></strong>. As noted above, the numeric OAuth App ID is <em>not</em> emitted on these events - the name is the only matchable identifier.</li>
              <li><strong>Granted scopes</strong> &rarr; <code>token_scopes</code> as a comma-separated string (e.g. <code>read:org,user:email</code>). <code>repo</code>, <code>repo:write</code>, <code>workflow</code>, <code>admin:org</code>, <code>delete_repo</code> are the high-impact scopes; treat any new authorization that requests them as page-on-call.</li>
              <li><strong>Acting user and source</strong> &rarr; <code>user</code> + <code>user_id</code> (top-level), pair with <code>actor_ip</code> and <code>actor_location.country_code</code> for geo / VPN / hosting-provider checks. The <code>user_agent</code> is also informative - Go and Python HTTP clients on consent-prompt actions are unusual and worth investigating.</li>
              <li><strong>Token identity</strong> &rarr; <code>token_id</code> (numeric) and <code>hashed_token</code> (URL-safe base64 SHA-256 of the raw token). Both are stable across the lifetime of the same token and let you correlate one consent event with every subsequent <code>git.clone</code>, <code>git.fetch</code>, or repo-read action that used that token. To search for every event tied to a known-leaked token, use <a href="https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token">GitHub's hashed-token search</a>.</li>
            </ul>

            <h3><span class="num">3</span> Detection queries</h3>
            <p><strong>Detection 1: any authorization or token-issuance event for a known-malicious app, via REST API.</strong> Poll the org or enterprise audit log on a 5-15 minute cadence using a service-account PAT with the <code>read:audit_log</code> scope. Match the <code>oauth_application_name</code> field against OAuthSentry's malicious feed (which contains names, not numeric IDs - see the schema callout above):</p>
            <div class="code-block">
              <div class="code-header">curl - GitHub audit log OAuth-app hunt by name<button class="copy-snippet" type="button">copy</button></div>
              <pre>``` Pull the last hour of OAuth-lifecycle events for an org and match by name ```
ORG="your-org"
PAT="ghp_..."  # PAT with read:audit_log scope
SINCE=$(date -u -d '1 hour ago' +%Y-%m-%dT%H:%M:%SZ)

``` All events whose action category is oauth_authorization or oauth_access ```
``` (covers create, update, destroy, generate, regenerate). Note +>= URL-encoding ```
curl -s \
  -H "Authorization: Bearer $PAT" \
  -H "Accept: application/vnd.github+json" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  "https://api.github.com/orgs/$ORG/audit-log?phrase=action:oauth_authorization+OR+action:oauth_access+created:&gt;=$SINCE&amp;per_page=100" \
| jq -r '.[] | [
    (.["@timestamp"] / 1000 | strftime("%Y-%m-%dT%H:%M:%SZ")),
    .action,
    .user,
    .actor_ip,
    .oauth_application_name,
    .token_scopes
  ] | @csv' \
| awk -F',' 'BEGIN { while((getline n &lt; "/path/to/feeds/github/github_malicious.txt") &gt; 0) if (n !~ /^#/) bad[tolower(n)]=1 }
             { name=tolower($5); gsub(/"/, "", name); if (bad[name]) print "MALICIOUS:", $0 }'</pre>
            </div>
            <p>The same query works against <code>/enterprises/{enterprise}/audit-log</code> if you have enterprise-level access - that gives one query that covers every org in the enterprise.</p>

            <p><strong>Detection 2: gh CLI (lighter-weight version of the same hunt).</strong> The <a href="https://cli.github.com/manual/gh_api">gh api</a> command handles auth and pagination for you when running locally:</p>
            <div class="code-block">
              <div class="code-header">gh CLI - audit log OAuth hunt<button class="copy-snippet" type="button">copy</button></div>
              <pre>``` Last 7 days of OAuth authorization events, paginated ```
gh api --paginate \
  -H "Accept: application/vnd.github+json" \
  "/orgs/$ORG/audit-log?phrase=action:oauth_authorization+created:&gt;=$(date -u -d '7 days ago' +%Y-%m-%d)&amp;per_page=100" \
  | jq '.[] | {ts: .["@timestamp"], actor, app: .oauth_application_name, action}'</pre>
            </div>

            <p><strong>Detection 3: SIEM-side, if you stream GitHub audit logs.</strong> GitHub Enterprise Cloud supports <a href="https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/streaming-the-audit-log-for-your-enterprise/about-audit-log-streaming-for-your-enterprise">audit log streaming</a> to S3, Azure Blob, GCS, Splunk, Datadog and others. Once landed, the field names match the REST response, so the same predicate works:</p>
            <div class="code-block">
              <div class="code-header">SPL - GitHub audit log OAuth authorize against malicious feed<button class="copy-snippet" type="button">copy</button></div>
              <pre>index=github sourcetype=github:audit action="oauth_authorization.create"
| eval app_name = lower(oauth_application_name)
| lookup oauthsentry_github_malicious appname as app_name
    OUTPUT category as oas_category, severity as oas_severity, comment as oas_comment
| where oas_category = "malicious"
| stats count
        earliest(_time) as first_seen
        latest(_time)   as last_seen
        values(actor)   as users
    by app_name, oas_severity, oas_comment
| convert ctime(first_seen) ctime(last_seen)</pre>
            </div>
            <p><strong>Verify the sourcetype</strong> - <code>github:audit</code> is the typical Splunk Add-on for GitHub Enterprise sourcetype, but the field naming after parse-time depends on your specific add-on/parser configuration.</p>

            <h3><span class="num">4</span> Remediation - revoking OAuth apps and tokens</h3>
            <p>GitHub's revocation model has three layers, and you need to use the right one depending on what you're trying to revoke:</p>
            <ul>
              <li><strong>Org-level revocation of the OAuth App (the right answer for a known-malicious app).</strong> Org settings &rarr; <strong>Third-party access</strong> &rarr; <strong>OAuth app policy</strong>. If OAuth app access restrictions are enabled, you can deny the app outright; otherwise, click the app entry and revoke its access. This blocks future use across the entire org regardless of which user authorized it. From the REST API: <code>DELETE /orgs/{org}/credential-authorizations/{credential_id}</code> (requires SAML SSO with the <code>admin:org</code> scope).</li>
              <li><strong>User-level revocation</strong> (for individual cleanup): the user can go to GitHub &rarr; Settings &rarr; <strong>Applications</strong> &rarr; <strong>Authorized OAuth Apps</strong> and revoke. From the REST API: <code>DELETE /applications/{client_id}/grant</code> (requires Basic auth with the OAuth App's client ID + secret - app-owner credentials, not the user's).</li>
              <li><strong>Token-level revocation by the publisher.</strong> If the OAuth App publisher itself has been compromised (the Heroku/Travis CI scenario), only they can revoke the issued tokens via <code>DELETE /applications/{client_id}/token</code>. Defenders cannot do this from the customer side - org-level revocation (above) is what disconnects your org from the compromised publisher.</li>
            </ul>

            <h3><span class="num">5</span> Hardening - controls that prevent the next OAuth-driven incident</h3>
            <ul>
              <li><strong>Enable OAuth App access restrictions on every org.</strong> Org settings &rarr; <strong>Third-party access</strong> &rarr; toggle <em>Restrict OAuth app access to this organization</em>. With this on, OAuth Apps must be explicitly approved by an org owner before they can read org-level resources. Without this restriction, any member can authorize any OAuth App against their org access. <a href="https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/about-oauth-app-access-restrictions">GitHub's docs</a> walk through the setup and the notification flow.</li>
              <li><strong>Stream the audit log out of GitHub.</strong> Enterprise Cloud customers can stream to S3, Azure Blob, GCS, Splunk or Datadog. The native retention is 180 days for most events and 7 days for Git events; streaming is the only way to keep these queryable for a full year of incident response.</li>
              <li><strong>Require SAML SSO and SCIM.</strong> Tying every authorization to a verified IdP identity makes the <code>actor</code> field in audit log events a real identity instead of a username, which dramatically improves attribution after an incident.</li>
              <li><strong>Use fine-grained PATs and short token lifetimes.</strong> Where you have to use long-lived credentials, prefer <a href="https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens">fine-grained PATs</a> (per-resource scoping, mandatory expiry) over classic PATs with broad <code>repo</code> scope. The audit log surfaces these as <code>personal_access_token.*</code> actions with <code>token_id</code> and <code>token_scopes</code> fields.</li>
              <li><strong>Subscribe to OAuthSentry's <code>feeds/github/github_malicious.txt</code></strong> and the human-readable name list to feed your audit-log hunts. The list is small today (five entries from one historical incident) but every publisher compromise added here lands within a day of public disclosure.</li>
            </ul>
          </div>
        </div>
      </div>
    </section>

    <!-- ============ FEEDS PAGE ============ -->
    <section id="page-feeds" hidden>
      <div class="shell">
        <div class="section">
          <h2>Feeds</h2>
          <p class="lead">
            Plain-text and CSV feeds for direct ingestion into SIEM, EDR allow/deny lists, KQL hunts, Splunk lookups and so on. Updated automatically from upstream sources via GitHub Actions. One App ID per line in <span class="mono">.txt</span> feeds.
          </p>

          <div class="feed-grid">
            <div class="feed-card compliance">
              <h3>Compliance</h3>
              <p class="desc">Legitimate first-party and well-known third-party apps. Use as a known-good baseline for triage and allowlists.</p>
              <div class="feed-links">
                <a href="feeds/entra/entra_compliance.txt"><span>entra - txt</span><span class="fmt">app ids</span></a>
                <a href="feeds/entra/entra_compliance.csv"><span>entra - csv</span><span class="fmt">full</span></a>
                <a href="feeds/google/google_compliance.txt"><span>google - txt</span><span class="fmt">app ids</span></a>
                <a href="feeds/google/google_compliance.csv"><span>google - csv</span><span class="fmt">full</span></a>
                <a href="feeds/github/github_compliance.txt"><span>github - txt</span><span class="fmt">app ids</span></a>
                <a href="feeds/github/github_compliance.csv"><span>github - csv</span><span class="fmt">full</span></a>
                <a href="feeds/all/all_compliance.txt"><span>all services - txt</span><span class="fmt">app ids</span></a>
                <a href="feeds/all/all_compliance.csv"><span>all services - csv</span><span class="fmt">full</span></a>
              </div>
            </div>

            <div class="feed-card risky">
              <h3>Risky</h3>
              <p class="desc">Legitimate apps repeatedly observed in BEC, exfiltration tooling (rclone, eM Client), or first-party Microsoft apps abused via AADInternals / EvilProxy / UTA0352. Hunt context.</p>
              <div class="feed-links">
                <a href="feeds/entra/entra_risky.txt"><span>entra - txt</span><span class="fmt">app ids</span></a>
                <a href="feeds/entra/entra_risky.csv"><span>entra - csv</span><span class="fmt">full</span></a>
                <a href="feeds/google/google_risky.txt"><span>google - txt</span><span class="fmt">app ids</span></a>
                <a href="feeds/google/google_risky.csv"><span>google - csv</span><span class="fmt">full</span></a>
                <a href="feeds/github/github_risky.txt"><span>github - txt</span><span class="fmt">app ids</span></a>
                <a href="feeds/github/github_risky.csv"><span>github - csv</span><span class="fmt">full</span></a>
                <a href="feeds/all/all_risky.txt"><span>all services - txt</span><span class="fmt">app ids</span></a>
                <a href="feeds/all/all_risky.csv"><span>all services - csv</span><span class="fmt">full</span></a>
              </div>
            </div>

            <div class="feed-card malicious">
              <h3>Malicious</h3>
              <p class="desc">Confirmed malicious OAuth applications: APT29 redirect apps, EvilGinx/AiTM lures, RH-ISAC tracked impersonation campaigns, homoglyph SharePoint/OneDrive impersonators, and disclosed publisher compromises (Salesloft Drift, Context.ai, Heroku Dashboard).</p>
              <div class="feed-links">
                <a href="feeds/entra/entra_malicious.txt"><span>entra - txt</span><span class="fmt">app ids</span></a>
                <a href="feeds/entra/entra_malicious.csv"><span>entra - csv</span><span class="fmt">full</span></a>
                <a href="feeds/google/google_malicious.txt"><span>google - txt</span><span class="fmt">app ids</span></a>
                <a href="feeds/google/google_malicious.csv"><span>google - csv</span><span class="fmt">full</span></a>
                <a href="feeds/github/github_malicious.txt"><span>github - txt</span><span class="fmt">app names</span></a>
                <a href="feeds/github/github_malicious.csv"><span>github - csv</span><span class="fmt">full</span></a>
                <a href="feeds/all/all_malicious.txt"><span>all services - txt</span><span class="fmt">app ids</span></a>
                <a href="feeds/all/all_malicious.csv"><span>all services - csv</span><span class="fmt">full</span></a>
              </div>
            </div>
          </div>
        </div>

        <div class="section">
          <h2>Combined feeds</h2>
          <p class="lead">Cross-service exports. The <code>all_index.json</code> is what the search UI uses; use it for any custom integration that needs the full record per app.</p>
          <div class="feed-grid">
            <div class="feed-card">
              <h3>JSON</h3>
              <p class="desc">Full schema, every service, ready for programmatic consumption.</p>
              <div class="feed-links">
                <a href="feeds/all/all_index.json"><span>all/all_index.json</span><span class="fmt">json</span></a>
                <a href="feeds/entra/entra_all.json"><span>entra/entra_all.json</span><span class="fmt">json</span></a>
                <a href="feeds/google/google_all.json"><span>google/google_all.json</span><span class="fmt">json</span></a>
                <a href="feeds/github/github_all.json"><span>github/github_all.json</span><span class="fmt">json</span></a>
                <a href="feeds/summary.json"><span>summary.json</span><span class="fmt">counts</span></a>
              </div>
            </div>
          </div>
        </div>

        <div class="section">
          <h2>Changelog feed</h2>
          <p class="lead">Subscribe to catalog changes - adds, removes, category shifts, severity escalations - in real time. Standard Atom feed for any RSS reader, SIEM RSS connector, or chat-bot integration; JSON twin for programmatic consumers. The changelog is the push-style counterpart to the request/response API: instead of polling <code>lookup_by_appid.json</code> daily and diffing it yourself, subscribe and let your tooling pull on update.</p>
          <div class="feed-grid">
            <div class="feed-card">
              <h3>Subscribe</h3>
              <p class="desc">Atom 1.0 standard format. Every entry covers one catalog change with the appid, service, category, severity and a human-readable summary; categorized by change kind (<code>added</code>, <code>removed</code>, <code>category-changed</code>, <code>severity-raised</code>, <code>reference-added</code>) so consumers can filter on what they care about.</p>
              <div class="feed-links">
                <a href="feeds/changelog.atom"><span>changelog.atom</span><span class="fmt">RSS / Atom</span></a>
                <a href="feeds/changelog.json"><span>changelog.json</span><span class="fmt">JSON</span></a>
              </div>
            </div>

            <div class="feed-card">
              <h3>Use cases</h3>
              <p class="desc">Pipe into Slack/Teams via the built-in RSS app for immediate awareness of new malicious app entries; refresh a Splunk lookup table or Sentinel watchlist on every <code>added</code>/<code>category-changed</code> event so detections stay current without manual export-import; alert on first appearance of a <code>severity-raised</code> entry that escalates a previously-known compliance app to risky/malicious.</p>
              <div class="feed-links">
                <a href="https://oauthsentry.github.io/feeds/changelog.atom"><span>permanent URL</span><span class="fmt">copy this</span></a>
              </div>
            </div>
          </div>

          <div class="code-block">
            <div class="code-header">curl - check for changes since last poll<button class="copy-snippet" type="button">copy</button></div>
            <pre>``` Pull and pretty-print the JSON twin (entries sorted newest first) ```
curl -s https://oauthsentry.github.io/feeds/changelog.json | jq '.entries[:5]'

``` Filter for malicious-only changes in the last 24h ```
curl -s https://oauthsentry.github.io/feeds/changelog.json \
  | jq --arg since "$(date -u -d '24 hours ago' +%Y-%m-%dT%H:%M:%SZ)" '
      .entries
      | map(select(.category == "malicious" and .ts &gt; $since))'

``` Watch for any new addition to the malicious bucket and write to a SIEM lookup ```
curl -s https://oauthsentry.github.io/feeds/changelog.json \
  | jq -r '.entries[]
      | select(.kind == "added" and .category == "malicious")
      | [.ts, .service, .appid, .appname] | @csv' \
  | tee -a /var/lib/oauthsentry/new_malicious.csv</pre>
          </div>
          <p style="font-size: 13px; color: var(--text-faint); margin-top: 12px;">
            History rolling-retains the last 200 entries; older changes drop off. The <code>data/.last_build.json</code> snapshot in the repo is what each new build diffs against - it must be committed back after each CI run so consecutive runs detect changes correctly.
          </p>
        </div>
      </div>
    </section>

    <!-- ============ TRIAGE PAGE ============ -->
    <section id="page-triage" hidden>
      <div class="shell">
        <div class="section">
          <h2>Triage</h2>
          <p class="lead">
            Paste a list of OAuth App IDs, structured audit log JSON, or any raw log dump that mentions OAuth app IDs. Each identifier
            is matched against OAuthSentry's catalog and grouped by category - <span class="cat-malicious mono">malicious</span> first, then
            <span class="cat-risky mono">risky</span>, then <span class="cat-unknown mono">unknown</span> (the bucket worth
            investigating because it's not in any list yet), then <span class="cat-compliance mono">compliance</span>
            (collapsed). Pure client-side; pasted content never leaves the browser.
          </p>

          <div class="triage-grid">
            <div class="triage-input-card">
              <div class="triage-input-header">
                <label for="triage-input">Input</label>
                <span class="triage-hint" id="triage-format-hint">auto-detecting...</span>
              </div>
              <textarea id="triage-input" rows="12" spellcheck="false" placeholder="Paste here. Three input modes, auto-detected:&#10;&#10;1. PRECISE EXTRACT - structured audit log JSON in a known shape&#10;   - M365 unified audit log: pulls ObjectId from 'Consent to application' events&#10;   - Google Reports API: pulls client_id from token authorize events&#10;   - GitHub audit log: pulls oauth_application_name from oauth_* events&#10;&#10;2. PLAIN LIST - one identifier per line, or comma/semicolon-separated&#10;   c5393580-f805-4401-95e8-94b7a6ef2fc2&#10;   1084253493764-ipb2ntp4...apps.googleusercontent.com&#10;   Heroku Dashboard&#10;&#10;3. RAW DUMP - anything else (Graph activity logs, Sentinel alerts, shell output)&#10;   Scans the text for Entra GUIDs and Google client_id patterns.&#10;   Note: GitHub app NAMES cannot be regex-extracted from raw text; use mode 1 or 2&#10;   for GitHub triage."></textarea>
              <div class="triage-actions">
                <button id="triage-run" class="btn-primary">Triage</button>
                <button id="triage-clear" class="btn-secondary">Clear</button>
                <button id="triage-sample" class="btn-secondary">Load sample</button>
              </div>
            </div>

            <div class="triage-results-card">
              <div class="triage-results-header">
                <span id="triage-summary">Paste input and click Triage to begin.</span>
                <span class="triage-export" id="triage-export" hidden>
                  <button id="triage-export-csv" class="btn-link">copy as CSV</button>
                  <button id="triage-export-md" class="btn-link">copy as Markdown</button>
                </span>
              </div>
              <div id="triage-results"></div>
            </div>
          </div>

          <div class="api-callout" style="padding: 14px 18px;">
            <p style="margin: 0; font-size: 13px; color: var(--text-dim);">
              Need this from a script, SOAR runbook, or alert pipeline? The same lookup is exposed as a static REST API - see the
              <a href="#/api" data-route="/api">API</a> tab for endpoints, the slug rule, and code samples.
            </p>
          </div>
        </div>
      </div>
    </section>

    <!-- ============ TOKEN DECODER PAGE ============ -->
    <section id="page-tokens" hidden>
      <div class="shell">
        <div class="section">
          <h2>Entra access token decoder</h2>
          <p class="lead">
            Paste a Microsoft Entra JWT - from a phishing kit dump, a stealer log, an audit-log export, a captured <code>Bearer</code>
            header, or a developer's <code>Get-MgContext</code> output - and get an annotated explanation of every claim, with the wids
            decoded against the canonical Microsoft Entra built-in roles, the appid cross-referenced against OAuthSentry's catalog and
            the FOCI / first-party app reference, the scopes flagged for risk, and a "what to do next" panel that prefills the SPL
            queries from the Forensic Traces tab. <strong>Pure client-side</strong> - the token never leaves your browser. Signature
            validation is intentionally not performed; this is for IR claim interpretation, not authentication.
          </p>

          <div class="tokens-input-card">
            <label for="tokens-input" class="form-label">JWT</label>
            <textarea id="tokens-input" rows="6" spellcheck="false" autocomplete="off"
              placeholder="Paste the full JWT here. Three segments separated by dots. Example: eyJ0eXAi...A.eyJhdWQ...A.signature&#10;Or paste an Authorization header (Bearer ...) - the prefix will be stripped automatically."></textarea>
            <div class="tokens-actions">
              <button type="button" id="tokens-decode-btn" class="btn btn-primary">Decode</button>
              <button type="button" id="tokens-clear-btn" class="btn">Clear</button>
              <span class="tokens-privacy-note">Runs locally - the token never leaves your browser.</span>
            </div>
            <div id="tokens-error" class="form-error" hidden></div>
          </div>

          <div id="tokens-output" class="tokens-output" hidden>
            <!-- Summary banner -->
            <div id="tokens-summary" class="tokens-summary"></div>

            <!-- Two columns: decoded claims (left), action panel (right) -->
            <div class="tokens-grid">
              <div class="tokens-claims-card">
                <h3>Decoded claims</h3>
                <div id="tokens-header-section">
                  <h4>Header</h4>
                  <div id="tokens-header-claims" class="tokens-claims-list"></div>
                </div>
                <div id="tokens-payload-section">
                  <h4>Payload</h4>
                  <div id="tokens-payload-claims" class="tokens-claims-list"></div>
                </div>
              </div>

              <div class="tokens-actions-card">
                <h3>What to do next</h3>
                <div id="tokens-action-panel"></div>

                <h3 style="margin-top: 20px;">Raw JSON</h3>
                <details>
                  <summary>Show full decoded JSON</summary>
                  <pre id="tokens-raw-json" class="tokens-raw-json"></pre>
                </details>
              </div>
            </div>
          </div>
        </div>
      </div>
    </section>

    <!-- ============ SUBMIT PAGE ============ -->
    <section id="page-submit" hidden>
      <div class="shell">
        <div class="section">
          <h2>Submit a new OAuth app to the catalog</h2>
          <p class="lead">
            Spotted a malicious OAuth app id in your audit logs, or read about one in a security disclosure that should be in OAuthSentry?
            Fill the form below and submit as a GitHub issue, a downloadable CSV row you can attach to a PR, or an email - all three options
            land the same data, pick whichever takes the least friction. The form validates field shapes locally so the most common bad
            submissions (wrong-shape GUID, missing reference, severity mismatched to category) get caught before they reach the maintainer queue.
          </p>

          <div class="submit-grid">
            <div class="submit-form-card">
              <form id="submit-form" novalidate>
                <div class="form-row">
                  <label class="form-label">
                    Service
                    <span class="form-required">*</span>
                  </label>
                  <div class="radio-group">
                    <label><input type="radio" name="service" value="entra" checked> Entra (Microsoft 365 / Azure)</label>
                    <label><input type="radio" name="service" value="google"> Google Workspace</label>
                    <label><input type="radio" name="service" value="github"> GitHub</label>
                  </div>
                </div>

                <div class="form-row">
                  <label class="form-label" for="submit-appid">
                    App ID
                    <span class="form-required">*</span>
                    <span class="form-hint" id="submit-appid-hint">36-char GUID like c5393580-f805-4401-95e8-94b7a6ef2fc2</span>
                  </label>
                  <input type="text" id="submit-appid" name="appid" spellcheck="false" autocomplete="off">
                  <div class="form-error" id="submit-appid-error" hidden></div>
                </div>

                <div class="form-row">
                  <label class="form-label" for="submit-appname">
                    App name
                    <span class="form-required">*</span>
                    <span class="form-hint">As it appears to users in the consent prompt or audit log</span>
                  </label>
                  <input type="text" id="submit-appname" name="appname" spellcheck="false" autocomplete="off">
                </div>

                <div class="form-row">
                  <label class="form-label">
                    Category
                    <span class="form-required">*</span>
                    <span class="form-hint">Malicious = used in attacks; risky = legit but commonly abused; compliance = legit and pre-vetted</span>
                  </label>
                  <div class="radio-group">
                    <label><input type="radio" name="category" value="malicious"> Malicious</label>
                    <label><input type="radio" name="category" value="risky"> Risky</label>
                    <label><input type="radio" name="category" value="compliance"> Compliance</label>
                  </div>
                </div>

                <div class="form-row">
                  <label class="form-label">
                    Severity
                    <span class="form-required">*</span>
                    <span class="form-hint">Match the operational impact, not just the category. Compliance is almost always info.</span>
                  </label>
                  <div class="radio-group radio-group-tight">
                    <label><input type="radio" name="severity" value="info" checked> Info</label>
                    <label><input type="radio" name="severity" value="low"> Low</label>
                    <label><input type="radio" name="severity" value="medium"> Medium</label>
                    <label><input type="radio" name="severity" value="high"> High</label>
                    <label><input type="radio" name="severity" value="critical"> Critical</label>
                  </div>
                </div>

                <div class="form-row">
                  <label class="form-label" for="submit-comment">
                    Comment
                    <span class="form-required">*</span>
                    <span class="form-hint">What this app does and why it landed in the chosen category. Aim for 1-3 sentences with concrete details.</span>
                  </label>
                  <textarea id="submit-comment" name="comment" rows="4" spellcheck="true"></textarea>
                  <div class="form-error" id="submit-comment-error" hidden></div>
                </div>

                <div class="form-row">
                  <label class="form-label" for="submit-references">
                    Reference URL(s)
                    <span class="form-required">*</span>
                    <span class="form-hint">Vendor blog, CVE, security advisory, etc. One per line. Public sources strongly preferred over internal links.</span>
                  </label>
                  <textarea id="submit-references" name="references" rows="3" spellcheck="false" placeholder="https://example.com/blog/post-about-this-app"></textarea>
                  <div class="form-error" id="submit-references-error" hidden></div>
                </div>

                <div class="form-row">
                  <label class="form-label" for="submit-source">
                    Source <span class="form-hint">(optional)</span>
                  </label>
                  <select id="submit-source" name="source">
                    <option value="">- select -</option>
                    <option value="first-hand">First-hand observation in our tenant</option>
                    <option value="vendor-disclosure">Vendor disclosure or security blog</option>
                    <option value="researcher">Independent security researcher</option>
                    <option value="other">Other</option>
                  </select>
                </div>

                <div class="form-row">
                  <label class="form-label" for="submit-credit">
                    Credit (optional)
                    <span class="form-hint">Name or handle to credit in the catalog reference if accepted. Leave blank to stay anonymous.</span>
                  </label>
                  <input type="text" id="submit-credit" name="credit" spellcheck="false" autocomplete="off" placeholder="@yourname or your.email@example.com">
                </div>

                <div class="form-actions">
                  <button type="button" id="submit-btn-issue" class="btn btn-primary">Open as GitHub issue</button>
                  <button type="button" id="submit-btn-csv" class="btn">Download as CSV</button>
                  <button type="button" id="submit-btn-mailto" class="btn">Send by email</button>
                </div>

                <div id="submit-status" class="submit-status" hidden></div>
              </form>
            </div>

            <div class="submit-side-card">
              <h3>What happens next</h3>
              <ol class="submit-steps">
                <li><strong>You submit.</strong> The GitHub-issue button opens an issue in <a href="https://github.com/oauthsentry/oauthsentry.github.io/issues" target="_blank" rel="noopener">our repo</a> with all fields prefilled - one click to send it. The CSV button gives you a downloadable file you can attach to your own PR. The email button opens your default mail client with the same content.</li>
                <li><strong>Maintainers triage.</strong> A label of <code>submission</code> goes on the issue automatically; the queue is reviewed weekly. Submissions with strong public references are merged faster than ones without.</li>
                <li><strong>Catalog updates.</strong> Accepted entries land in the per-service CSVs in <code>data/{entra,google,github}/</code> on the next build. The <a href="#/feeds" data-route="/feeds">changelog feed</a> announces them within 24 hours of merge.</li>
              </ol>

              <h3 style="margin-top: 24px;">Quality bar</h3>
              <p>Submissions are accepted when they meet three tests:</p>
              <ul class="submit-bar">
                <li><strong>Verifiable</strong>: at least one public reference (security blog, CVE, advisory, news article) confirms the app id and the claim. First-hand audit-log observations are welcome but need a public corroborating source.</li>
                <li><strong>Specific</strong>: the appid is real and unique, the comment names what the app actually does, and the severity matches the operational impact.</li>
                <li><strong>Categorized correctly</strong>: <em>malicious</em> means actively used in attacks (vendor-impersonation, phishing kit, stealer, vendor-side breach with confirmed misuse); <em>risky</em> means legitimate but commonly abused or has a high blast radius if compromised; <em>compliance</em> means a known-good first-party or major-vendor app worth pre-vetting in the consent flow.</li>
              </ul>

              <h3 style="margin-top: 24px;">Privacy</h3>
              <p>The form runs entirely in your browser. Field contents never leave your device until you click one of the three submit buttons - and even then, what gets sent is whatever the chosen channel does (GitHub issue, file download, mailto). OAuthSentry has no backend; there's nothing to leak.</p>
            </div>
          </div>
        </div>
      </div>
    </section>

    <!-- ============ API PAGE ============ -->
    <section id="page-api" hidden>
      <div class="shell">
        <div class="section">
          <h2>Static REST API</h2>
          <p class="lead">
            Every entry in OAuthSentry's catalog is callable as a JSON endpoint, hosted on GitHub Pages.
            No authentication, no rate-limit beyond GitHub's defaults, CORS open, served as <code>application/json</code>.
            Useful for SOAR enrichment, alert pipelines, custom tooling - anywhere you need the catalog at runtime.
          </p>

          <h3>Endpoints</h3>
          <table class="kv-table">
            <thead><tr><th>Method &amp; path</th><th>Purpose</th></tr></thead>
            <tbody>
              <tr>
                <td class="mono">GET /feeds/api/v1/apps/{slug}.json</td>
                <td>Single-app record. <code>404</code> when the app is not in OAuthSentry's catalog (which itself is a useful signal - means uncategorized).</td>
              </tr>
              <tr>
                <td class="mono">GET /feeds/api/v1/lookup_by_appid.json</td>
                <td>Bulk lookup as <code>{ appid: record }</code>. The right pattern for SIEM-side enrichment - fetch once, query in memory.</td>
              </tr>
              <tr>
                <td class="mono">GET /feeds/api/v1/lookup.json</td>
                <td>Bulk lookup keyed by slug instead of raw appid.</td>
              </tr>
              <tr>
                <td class="mono">GET /feeds/api/v1/meta.json</td>
                <td>Dataset metadata: total apps, breakdown by service and category, generated_at, schema version, the slug rule.</td>
              </tr>
            </tbody>
          </table>

          <h3>Computing the slug</h3>
          <p>Lower-case the appid, then replace any run of characters outside <code>[a-z0-9._-]</code> with a single hyphen, and strip leading/trailing hyphens. Examples:</p>
          <table class="kv-table">
            <thead><tr><th>Service</th><th>Raw appid</th><th>Slug</th></tr></thead>
            <tbody>
              <tr><td>Entra</td><td class="mono">c5393580-f805-4401-95e8-94b7a6ef2fc2</td><td class="mono">c5393580-f805-4401-95e8-94b7a6ef2fc2 (unchanged)</td></tr>
              <tr><td>Google</td><td class="mono">1084253493764-ipb2ntp4...apps.googleusercontent.com</td><td class="mono">(unchanged - already URL-safe)</td></tr>
              <tr><td>GitHub</td><td class="mono">Heroku Dashboard</td><td class="mono">heroku-dashboard</td></tr>
            </tbody>
          </table>

          <h3>Response shape</h3>
          <p>Every endpoint returning an app record uses the same JSON schema:</p>
          <div class="code-block">
            <div class="code-header">Sample response - Drift Email (malicious)<button class="copy-snippet" type="button">copy</button></div>
            <pre>{
  "appid":      "1084253493764-ipb2ntp4jb4rmqc76jp7habdrhfdus3q.apps.googleusercontent.com",
  "appname":    "Drift Email / Salesloft Drift Google Workspace OAuth app",
  "service":    "google",
  "category":   "malicious",
  "severity":   "critical",
  "comment":    "Astrix reported UNC6395 active operations through the Drift Email OAuth application...",
  "references": [
    "https://astrix.security/learn/blog/critical-update-astrix-research-team-discovers-unc6395-...",
    "https://github.com/mthcht/awesome-lists/blob/main/Lists/OAuth/google_oauth_apps.csv"
  ],
  "slug":       "1084253493764-ipb2ntp4jb4rmqc76jp7habdrhfdus3q.apps.googleusercontent.com"
}</pre>
          </div>

          <h3>Example uses</h3>

          <div class="code-block">
            <div class="code-header">curl - single-app lookup (the SOAR pattern)<button class="copy-snippet" type="button">copy</button></div>
            <pre>``` Slug rule: lower-case the appid, replace any non-[a-z0-9._-] run with one hyphen ```
``` Entra GUID and Google client_id are already URL-safe; GitHub names need slugifying ```

curl -s https://oauthsentry.github.io/feeds/api/v1/apps/c5393580-f805-4401-95e8-94b7a6ef2fc2.json
curl -s https://oauthsentry.github.io/feeds/api/v1/apps/heroku-dashboard.json
curl -s https://oauthsentry.github.io/feeds/api/v1/apps/1084253493764-ipb2ntp4jb4rmqc76jp7habdrhfdus3q.apps.googleusercontent.com.json

``` Test the not-found behavior ```
curl -s -o /dev/null -w "%{http_code}\n" https://oauthsentry.github.io/feeds/api/v1/apps/totally-made-up.json
``` -> 404 (means uncategorized; worth investigating in your environment) ```</pre>
          </div>

          <div class="code-block">
            <div class="code-header">Python - bulk catalog enrichment in your alert pipeline<button class="copy-snippet" type="button">copy</button></div>
            <pre>import json, requests

CATALOG_URL = "https://oauthsentry.github.io/feeds/api/v1/lookup_by_appid.json"
CATALOG = requests.get(CATALOG_URL, timeout=10).json()

def classify(appid: str) -&gt; dict | None:
    """Returns None if appid is uncategorized."""
    return CATALOG.get(appid.lower())

def on_consent_event(event):
    record = classify(event["app_id"])
    if record is None:
        log_for_review(event, reason="uncategorized OAuth app")
        return
    if record["category"] == "malicious":
        page_oncall(event, record)
    elif record["category"] == "risky":
        ticket_for_triage(event, record)
    # compliance -> known-good, no action</pre>
          </div>

          <div class="code-block">
            <div class="code-header">Splunk - external lookup for inline KQL/SPL enrichment<button class="copy-snippet" type="button">copy</button></div>
            <pre>``` 1. Download the malicious feed once a day on the search head ```
| inputlookup oauthsentry_malicious.csv
| outputlookup oauthsentry_malicious.csv
``` (or use a scheduled curl + lookup definition - see Feeds page) ```

``` 2. In any consent-event search, enrich inline ```
`oauthsentry_o365_audit` Operation="Consent to application"
| eval appid = lower(ObjectId)
| lookup oauthsentry_malicious appid OUTPUT category, severity, comment, references
| where category = "malicious"</pre>
          </div>

          <div class="code-block">
            <div class="code-header">JavaScript - browser-side lookup (e.g. Chrome extension)<button class="copy-snippet" type="button">copy</button></div>
            <pre>const slug = appid =&gt; appid.toLowerCase().replace(/[^a-z0-9._-]+/g, '-').replace(/^-|-$/g, '');

async function classify(appid) {
  const url = `https://oauthsentry.github.io/feeds/api/v1/apps/${slug(appid)}.json`;
  const res = await fetch(url);
  if (res.status === 404) return null;     // uncategorized
  if (!res.ok) throw new Error(`status ${res.status}`);
  return res.json();
}</pre>
          </div>

          <h3>Why this works on GitHub Pages</h3>
          <p>GitHub Pages serves <code>.json</code> files with <code>Content-Type: application/json</code> and sets <code>Access-Control-Allow-Origin: *</code> by default, which makes static JSON files behave indistinguishably from a real REST API endpoint to any HTTP caller. The build pipeline (<code>scripts/build_feeds.py</code>) generates the entire <code>feeds/api/v1/</code> tree on every catalog update, so every per-app endpoint and the bulk lookups are always in sync with the rest of the data.</p>

          <h3>Stability and versioning</h3>
          <p>The API is versioned in the URL path (<code>/v1/</code>). Breaking changes to the response schema or endpoint shapes will move to <code>/v2/</code> with the previous version remaining available; non-breaking additions (new fields) land in <code>/v1/</code>. The slug rule is documented in <a href="feeds/api/v1/meta.json"><code>meta.json</code></a> as part of the contract - any change to that rule would also be a major version bump.</p>
        </div>
      </div>
    </section>

    <!-- ============ METHODOLOGY PAGE ============ -->
    <section id="page-methodology" hidden>
      <div class="shell">
        <div class="section">
          <h2>Methodology</h2>
          <p class="lead">OAuthSentry mirrors and consolidates publicly-curated OAuth threat-intel datasets. The categories follow defender intent, not vendor wording.</p>

          <div class="feed-grid">
            <div class="feed-card compliance">
              <h3>Compliance</h3>
              <p class="desc">An app is in <em>compliance</em> if it is a verified first-party app from the platform vendor, or a vetted third-party app with no observed abuse pattern. This bucket is reference data for hunting and allowlist tuning, not a "safe" verdict for any tenant.</p>
            </div>
            <div class="feed-card risky">
              <h3>Risky</h3>
              <p class="desc">An app is <em>risky</em> if it is legitimate but has been repeatedly observed in attacker tradecraft (mailbox sync clients, broad-scope cloud sync, first-party apps abused via offensive tooling). Detection logic should escalate based on context: tenant prevalence, scopes consented, source IP, geography.</p>
            </div>
            <div class="feed-card malicious">
              <h3>Malicious</h3>
              <p class="desc">An app is <em>malicious</em> when at least one credible public report ties the App ID to an in-the-wild attack: consent phishing, AiTM session theft, or a known threat-actor cluster. Homoglyph apps impersonating Microsoft brands (Cyrillic Sharеpoint, OneDгive, etc.) are included.</p>
            </div>
          </div>
        </div>

        <div class="section">
          <h2>Upstream credit</h2>
          <p class="lead">OAuthSentry stands on the shoulders of community-maintained lists. Primary sources currently mirrored:</p>
          <ul style="font-family: var(--font-mono); font-size: 13px; color: var(--text-dim); line-height: 2;">
            <li><a href="https://github.com/mthcht/awesome-lists/tree/main/Lists/OAuth" target="_blank" rel="noopener">mthcht/awesome-lists - OAuth lists</a></li>
            <li><a href="https://github.com/randomaccess3/detections" target="_blank" rel="noopener">randomaccess3/detections - M365 OAuth detections</a></li>
            <li><a href="https://github.com/Cyera-Research-Labs/m365-malicious-app-iocs" target="_blank" rel="noopener">Cyera-Research-Labs/m365-malicious-app-iocs</a></li>
            <li><a href="https://github.com/anak0ndah/EntraHunt" target="_blank" rel="noopener">anak0ndah/EntraHunt</a></li>
            <li><a href="https://github.com/merill/microsoft-info" target="_blank" rel="noopener">merill/microsoft-info - first-party app names</a></li>
            <li><a href="https://www.wiz.io/blog/detecting-malicious-oauth-applications" target="_blank" rel="noopener">Wiz - Detecting malicious OAuth applications</a></li>
            <li><a href="https://rhisac.org/threat-intelligence/microsoft-oauth-app-impersonation-leads-to-mfa-phishing/" target="_blank" rel="noopener">RH-ISAC / Proofpoint - Microsoft OAuth impersonation</a></li>
            <li><a href="https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/" target="_blank" rel="noopener">Volexity - UTA0352/UTA0355 OAuth phishing</a></li>
          </ul>
        </div>
      </div>
    </section>

  </main>

  <footer>
    <div class="shell footer-inner">
      <span>OAuthSentry - MIT - no warranty - use defensively</span>
      <span>
        <a href="https://github.com/oauthsentry/oauthsentry.github.io">github</a>
        <span style="margin: 0 8px; color: var(--border-strong);">|</span>
        <a href="#/search">&uarr; top</a>
      </span>
    </div>
  </footer>

  <!-- Detail panel -->
  <div class="overlay" id="overlay">
    <aside class="panel" id="panel" role="dialog" aria-modal="true" aria-label="Application detail"></aside>
  </div>

  <!-- PapaParse vendored locally - no external CDN dependency. License: MIT (mholt/PapaParse). -->
  <script src="assets/vendor/papaparse-5.4.1.min.js"></script>
  <script src="assets/js/app.js"></script>

</body>
</html>