The Azure Consent Grant detection rule is designed to identify instances where an attacker manipulates users into granting malicious applications consent to access their data, typically through phishing tactics. This form of attack allows the malicious actor to exploit the authorization granted by the victim, thus gaining unauthorized access to sensitive information. The rule utilizes Azure activity logs and OAuth audit logs to monitor for consent events related to applications. Specifically, it searches for the phrase 'Consent to application' and monitors for successful grant terms, aggregating relevant data such as user identity, access keys, event timestamps, and permissions granted. This aggregation is done per user and time span of 1 second, allowing for precise tracking of potentially malicious activities. The detection focuses on anomalies associated with user consent in Azure, linking to recognized attack patterns that utilize stolen application access tokens. Leveraging Splunk as the logic format, the detection processes and visualizes the logged events to help security teams quickly identify and respond to consent grant abuse in Azure environments.