Sign In

TH1.13 The Hunt-to-Detection Pipeline: Worked End-to-End

3-4 hours · Module 1 · Free
Operational Objective
The previous subsections taught each step of the Hunt Cycle individually. This subsection puts them together — a complete worked example from threat intelligence input through hypothesis, scope, collection, analysis, conclusion, and detection rule deployment. One continuous narrative that demonstrates how the steps connect in practice.
Deliverable: A complete end-to-end example of the Hunt Cycle that you can reference as a model when executing your own campaigns.
⏱ Estimated completion: 30 minutes

This example follows the Hunt Cycle from start to finish. It is drawn from the same technique domain as TH6 (OAuth Application and Consent Abuse) but condensed to demonstrate the methodology, not the full campaign depth.

Step 1: Hypothesize

Source: Microsoft Security Blog — “Midnight Blizzard conducts targeted social engineering over Microsoft Teams” (August 2023). The report describes consent phishing via Teams messages, where the attacker persuades a user to consent to an OAuth application with high-privilege delegated permissions.

Hypothesis: “If an attacker used consent phishing to gain persistent access, AuditLogs will contain ‘Consent to application’ operations granting Mail.ReadWrite or Files.ReadWrite.All delegated permissions from non-admin users in the last 90 days.”

Quality check: Specific (names technique, data source, indicator). Testable (AuditLogs is ingested). Grounded (TI report from Microsoft). Actionable (if confirmed, revoke consent and investigate; if refuted, deploy detection rule and document).

Step 2: Scope

Data sources: AuditLogs (consent events), AADServicePrincipalSignInLogs (post-consent app behavior). Time window: 90 days (consent phishing may have occurred months ago; the application persists until revoked). Population: Full tenant (consent phishing targets any user, not just privileged accounts). Success criteria — positive: User-consented application with Mail.ReadWrite or Files.ReadWrite.All from a non-IT user, where the application is not a recognized productivity tool. Success criteria — negative: Full tenant examined across 90 days, no unrecognized high-privilege user-consented applications found.

Step 3: Collect

Query 1 — Orientation: How many consent events in 90 days?

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

// Q1: Orientation  consent event volume
AuditLogs
| where TimeGenerated > ago(90d)
| where OperationName == "Consent to application"
| where Result == "success"
| summarize TotalConsents = count(),
    UniqueApps = dcount(tostring(TargetResources[0].displayName)),
    UniqueUsers = dcount(tostring(InitiatedBy.user.userPrincipalName))
// Result: 347 consents, 42 unique apps, 189 unique users
// Assessment: expected volume for a mid-sized org

Query 2 — Indicator: Filter to high-privilege delegated permissions.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

// Q2: Indicator  high-privilege consent events
AuditLogs
| where TimeGenerated > ago(90d)
| where OperationName == "Consent to application"
| where Result == "success"
| extend AppName = tostring(TargetResources[0].displayName)
| extend ConsentedBy = tostring(InitiatedBy.user.userPrincipalName)
| extend Permissions = tostring(TargetResources[0].modifiedProperties)
| where Permissions has_any (
    "Mail.ReadWrite", "Files.ReadWrite.All",
    "Mail.Send", "Directory.ReadWrite.All")
| project TimeGenerated, ConsentedBy, AppName, Permissions
// Result: 12 consent events with high-privilege permissions

Query 3 — Refinement: Exclude known IT/admin users.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

// Q3: Refinement  exclude IT department
// 12 results from Q2  filter out IT staff
AuditLogs
| where TimeGenerated > ago(90d)
| where OperationName == "Consent to application"
| where Result == "success"
| extend AppName = tostring(TargetResources[0].displayName)
| extend ConsentedBy = tostring(InitiatedBy.user.userPrincipalName)
| extend Permissions = tostring(TargetResources[0].modifiedProperties)
| where Permissions has_any (
    "Mail.ReadWrite", "Files.ReadWrite.All",
    "Mail.Send", "Directory.ReadWrite.All")
| where ConsentedBy !endswith "@northgateeng.com"
    or ConsentedBy !in ("admin@northgateeng.com",
    "it-service@northgateeng.com")
// Exclude known admin accounts
// Result: 4 consent events from non-IT users

Query 4 — Enrichment: What are these 4 applications?

The analyst examines each:

  1. Grammarly — recognized productivity tool. Legitimate.
  2. Adobe Acrobat — recognized. Legitimate.
  3. Zoom — recognized. Legitimate.
  4. “DocuHelper Pro” — not recognized. Consented by l.chen@northgateeng.com on 2026-02-15. Permissions: Mail.ReadWrite, Files.ReadWrite.All.

Query 5 — Pivot: What did “DocuHelper Pro” do after consent?

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

// Q5: Pivot  post-consent behavior for suspect app
AADServicePrincipalSignInLogs
| where TimeGenerated > ago(90d)
| where ServicePrincipalName == "DocuHelper Pro"
| summarize
    SignInCount = count(),
    UniqueIPs = dcount(IPAddress),
    IPs = make_set(IPAddress, 5),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
// Result: 847 sign-ins from 3 IPs since consent date
// IPs resolve to: US residential proxy, Netherlands VPS, Singapore VPS
// Sign-in pattern: continuous, 24/7, not human-driven
// Assessment: This is not a legitimate productivity tool

Step 4: Analyze

Enrichment across five dimensions for “DocuHelper Pro”:

User context: l.chen is a marketing coordinator. No legitimate reason to consent to a mail/file access application not on the approved list.

Temporal: Consent occurred 2026-02-15 at 10:23 UTC. Check EmailEvents — a Teams message from an external sender was received at 09:45 UTC on the same day containing a consent link. The 38-minute gap between message delivery and consent is consistent with social engineering.

Geographic: Post-consent sign-ins from 3 countries (US, Netherlands, Singapore) on residential proxy and VPS infrastructure. Not l.chen’s sign-in pattern.

Behavioral: 847 sign-ins over 43 days. Continuous, automated access. Mail.ReadWrite permission means the application has been reading all of l.chen’s email for 43 days.

Correlated: 4 dimensions indicate compromise. Confidence: High.

Step 5: Conclude

Outcome: Confirmed. “DocuHelper Pro” is a malicious OAuth application that has been reading l.chen’s email for 43 days via consented Mail.ReadWrite permissions, following a consent phishing attack delivered via Teams.

Escalation package: Finding (l.chen compromised via OAuth consent phishing, 43-day dwell time), evidence (consent event, Teams message, 847 automated sign-ins from 3 proxy IPs), recommended containment (revoke application consent, revoke l.chen’s sessions, reset password, review all email sent and received during the 43-day window, check for data exfiltration or BEC activity from the account).

Dwell time compression: The application was active for 43 days. No detection rule existed for this technique. Without hunting, the compromise would have continued indefinitely until the application was discovered through a separate investigation or the attacker achieved their objective.

Step 6: Convert

The step 2 query (high-privilege consent from non-admin users), with exclusions for the three known legitimate applications (Grammarly, Adobe, Zoom), becomes a Sentinel analytics rule:

Rule name: HUNT-TH6-001: High-privilege OAuth consent by non-admin user Frequency: Every 4 hours, 6-hour lookback Exclusions: Known apps on allowlist (Grammarly, Adobe Acrobat, Zoom, Microsoft To-Do) Entity mapping: Account (ConsentedBy), Application (AppName) Severity: Medium (single indicator — consent event; escalate to High if post-consent SPN sign-in anomalies detected) Deployed: Report-only for 14 days, then promoted to production.

WORKED EXAMPLE — COMPLETE HUNT CYCLE IN ONE FLOW1. HYPOTHESIZETI → OAuth consent2. SCOPEAuditLogs, 90d, full3. COLLECT5 queries: 347→12→4→14. ANALYZE4/5 dims = HIGH conf5. CONCLUDECONFIRMED → IR6. CONVERTHUNT-TH6-001 deployedOUTPUT: 1 compromise found (43-day dwell time compressed) + 1 permanent detection ruleTotal analyst time: ~6 hours. Detection gap for T1098.003 closed permanently.

Figure TH1.13 — Complete Hunt Cycle worked example. Six steps, five queries, one compromise found, one detection rule deployed. The technique moves from unmonitored to automated detection in a single campaign.

Try it yourself

Exercise: Run the OAuth consent hunt in your environment

Follow the five queries in this worked example against your own Sentinel workspace. Replace the fictional entity names with your environment's data.

You may find: all consented applications are legitimate (negative finding — document it, deploy the detection rule). Or you may find an unrecognized application with high-privilege permissions — investigate it using the five enrichment dimensions.

Either outcome is a successful hunt. Both produce a detection rule. This is TH6 in preview.

⚠ Compliance Myth: "A 43-day dwell time proves our security program is failing"

The myth: If an attacker was present for 43 days, the security program has failed. This finding reflects poorly on the team.

The reality: The 43-day dwell time reflects a detection gap — the technique had no detection rule. The hunting program just closed that gap. Before the hunt, the organization had zero visibility into this technique and the attacker would have persisted indefinitely. After the hunt, the compromise is contained AND a detection rule ensures the technique is automatically detected in the future. The hunt is the proof the security program is working — it found something that no rule could. The dwell time is the measure of what the detection gap cost. The hunt is what closed it.

Extend this example

This worked example covers a single-entity finding. TH6 (the full OAuth campaign module) extends this to a comprehensive tenant-wide audit of all OAuth applications — not just new consents, but dormant applications with high permissions that were consented months or years ago and have never been reviewed. The full campaign also examines first-party Microsoft applications with excessive permissions and service principals with credentials that have not been rotated. The worked example here is the entry point. The campaign module is the complete investigation.

📋 Operational Artifact — Complete Hunt Record for Worked Example

Hunt ID: TH-2026-003 | Analyst: [name] | Date: [date] | Status: Completed — Confirmed

Hypothesis: OAuth consent phishing granting Mail.ReadWrite or Files.ReadWrite.All from non-admin users. Source: TI (Microsoft Security Blog — Midnight Blizzard). ATT&CK: T1098.003

Scope: AuditLogs + AADServicePrincipalSignInLogs | 90 days | Full tenant

Collection: Q1: 347 consents (orientation). Q2: 12 high-privilege (indicator). Q3: 4 non-admin (refinement). Q4: 1 unrecognized app — “DocuHelper Pro” (enrichment). Q5: 847 automated sign-ins from proxy IPs (pivot).

Analysis: DocuHelper Pro — 4/5 dimensions indicate compromise. High confidence.

Conclusion: Confirmed. Escalated. 43-day dwell time. Containment: consent revoked, sessions revoked, password reset, email review initiated.

Detection conversion: HUNT-TH6-001 deployed. Medium severity. 4-hour frequency. Known app allowlist configured from FP analysis.

References Used in This Subsection

  • Microsoft Threat Intelligence. “Midnight Blizzard conducts targeted social engineering over Microsoft Teams.” Microsoft Security Blog, August 2023.
  • MITRE ATT&CK Techniques referenced: T1098.003 (Account Manipulation: Additional Cloud Roles)
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of this course

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus
← TH1.12 Escalation Protocols and IR Handoff TH1.14 Hunt Cadence and Scheduling Models →