ZaunDocs

Identity + OAuth

Monitor risky OAuth grants and suspicious identity signals.

Zaun's Identity + OAuth module monitors your identity providers for risky OAuth grants, suspicious authentication patterns, and identity-based threats.

What Zaun Monitors

OAuth Grant Analysis

  • New OAuth application authorizations across your organization
  • Over-privileged OAuth scopes (e.g., full mailbox access)
  • OAuth grants to unverified or suspicious applications
  • Dormant OAuth applications with active permissions

Identity Threat Detection

  • Impossible travel (authentication from geographically distant locations)
  • Credential stuffing and brute force attempts
  • Suspicious MFA behavior (bypass attempts, MFA fatigue)
  • Privilege escalation patterns

Session Monitoring

  • Token theft and session hijacking indicators
  • Anomalous session activity patterns
  • Service account abuse

Specific Use Cases

An attacker sends a crafted OAuth consent URL impersonating a legitimate app like "Microsoft Teams Update" or "Google Security Alert." When a user clicks and grants permissions, the attacker's app gets full mailbox access via Microsoft Graph API or Google Gmail API. Zaun detects the new OAuth grant to an unverified publisher and alerts immediately.

Impossible Travel Detection

A user authenticates to Okta from New York at 9:00 AM, then from Singapore at 9:45 AM. Standard IdP alerts may miss this if one login uses a VPN. Zaun correlates authentication events across Okta, Entra ID, and Google Workspace simultaneously, catching impossible travel even when sessions span multiple identity providers.

MFA Fatigue / Push Bombing

An attacker with stolen credentials sends repeated MFA push notifications via Duo, Okta Verify, or Microsoft Authenticator until the user accidentally approves. Zaun detects patterns of rapid MFA push denials followed by an approval, especially outside business hours.

Dormant OAuth App Reactivation

A third-party app like a former vendor's integration sits dormant for months with active OAuth tokens in Google Workspace. When the vendor's infrastructure is compromised, the attacker uses the dormant token to access your data. Zaun flags OAuth apps that haven't been used in 90+ days but still have active permissions.

Service Account Abuse

A service account in Entra ID or Google Cloud IAM with broad permissions is used interactively by an employee, or its credentials show up in a public GitHub repository. Zaun detects non-automated usage patterns on service accounts and alerts on credential exposure through integration with GitHub Secret Scanning or GitGuardian.

Privilege Escalation via Role Assignment

An administrator assigns themselves or another user the Global Admin role in Entra ID, the Super Admin role in Google Workspace, or the Org Admin role in Okta. Zaun detects unusual privilege grants, especially self-assigned roles or grants made outside change management windows.

Session Token Theft (AiTM Attacks)

An attacker uses an adversary-in-the-middle phishing toolkit like EvilProxy or Evilginx to intercept session tokens for Microsoft 365 or Google Workspace. Zaun detects session anomalies like a token being used from a different IP, user agent, or geography than where it was originally issued.

Supported Identity Providers

ProviderOAuth MonitoringIdentity ThreatsSession Monitoring
OktaYesYesYes
Microsoft Entra IDYesYesYes
Google WorkspaceYesYesYes
OneLoginYesYesPartial
JumpCloudYesPartialPartial
Duo SecurityNoYesYes
Ping IdentityYesYesPartial
Auth0YesPartialPartial

Integrations

IntegrationSignal TypeWhat It Provides
Okta System LogAuth eventsLogin attempts, MFA events, OAuth grants, group changes
Entra ID Audit LogsAuth eventsSign-ins, consent grants, role assignments, conditional access
Google Workspace AdminAuth eventsLogin activity, OAuth tokens, admin changes
Duo Admin APIMFA eventsPush approvals, denials, bypass codes, enrollment
CrowdStrike Falcon IdentityIdentity threatsLateral movement, credential theft, AD reconnaissance
GitHub Secret ScanningCredential exposureService account keys found in repositories
GitGuardianCredential exposureAPI keys, tokens, secrets in code
Slack Audit LogsSession activityApp installs, OAuth authorizations, workspace access

Configuration

# Example: Identity monitoring policy
identity:
  oauth:
    auto_review: true
    block_unverified: false
    alert_on_sensitive_scopes:
      - "mail.read"
      - "files.readwrite.all"
      - "user.read.all"

  authentication:
    impossible_travel:
      enabled: true
      threshold_km: 500
      threshold_minutes: 60
    brute_force:
      enabled: true
      attempts: 10
      window_minutes: 5

Next Steps

Shadow AI / SaaS

Discover unsanctioned AI and SaaS usage and what data it can touch.

Cloud Security

Detect risky admin changes and data exposure across cloud and SaaS environments.

On this page

What Zaun MonitorsOAuth Grant AnalysisIdentity Threat DetectionSession MonitoringSpecific Use CasesOAuth Consent PhishingImpossible Travel DetectionMFA Fatigue / Push BombingDormant OAuth App ReactivationService Account AbusePrivilege Escalation via Role AssignmentSession Token Theft (AiTM Attacks)Supported Identity ProvidersIntegrationsConfigurationNext Steps