This detection rule identifies instances where users have denied consent to OAuth applications within Azure Active Directory. Denials recorded in Azure AD audit logs, specifically using error code 65004, signify user awareness of potentially suspicious or untrusted applications. Such activities are significant in identifying unauthorized attempts by malicious applications to gain access to sensitive data. Among other things, this monitoring helps refine security policies and boosts user awareness regarding application security. The analytic is designed to retrieve relevant denial events using a specific search query in Splunk, where denied OAuth consent is logged.