TP: If you're able to validate which the OAuth application is shipped from an unknown resource, and redirects to your suspicious URL, then a true positive is indicated.FP: When you’re in a position to verify that LOB application accessed from strange site for respectable reason and no abnormal functions done.Capturing my thoughts on the run then