Detecting Oauth Abuse
Status: Scaffold — content in progress
Paired Attack: [Link to attack page]
DRL Level: DRL-3
Detection Confidence: [High / Medium]
Required Telemetry
| Source | Field / Signal | Notes |
|---|---|---|
| Entra ID Sign-in log | [Key fields] | |
| Entra ID Audit log | [Key fields] |
Sigma Rule
title: Detecting Oauth Abuse
status: experimental
# Fill in rule
KQL — Microsoft Sentinel
// Fill in KQL query
False Positive Handling
[Document known benign causes]
Cross-Links
| Topic | Link |
|---|---|
| Detection Framework | detection-framework |