Query Details
Chat GPT Usage Detection In Network Traffic
Query
// Split if domain consists of 3 parts like: control.dropbox.com or email.wetransfer.com let partialRemoteUrlToDetect = "openai.com"; // For main domain filtering DeviceNetworkEvents | where Timestamp > ago(100d) | extend UrlParts = split(RemoteUrl, ".") | extend DomainWithTLD = iif(array_length(UrlParts) >= 2, strcat(UrlParts[-2], ".", UrlParts[-1]), RemoteUrl) // Gets the main domain and TLD | where DomainWithTLD == partialRemoteUrlToDetect or RemoteUrl has "chat.openai.com" // Checks for the specific domain or shortened link | summarize TotalConnections = count(), LastConnection = max(Timestamp) by InitiatingProcessAccountName, DeviceName, DeviceId, InitiatingProcessFileName, RemoteUrl = DomainWithTLD | project DeviceName, DeviceId, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteUrl, TotalConnections, LastConnection
Explanation
This query looks at network events from devices in the past 100 days. It filters for specific domains like "openai.com" and "chat.openai.com" in the RemoteUrl. It then summarizes the total connections and the last connection time for each device and process that accessed these domains. Finally, it projects the relevant information for analysis.
Details
Muzammil Mahmood
Released: June 7, 2024
Tables
DeviceNetworkEvents
Keywords
Devices,Intune,User,Timestamp,RemoteUrl,UrlParts,DomainWithTLD,InitiatingProcessAccountName,DeviceName,DeviceId,InitiatingProcessFileName.
Operators
splitwhereextendiifarray_lengthstrcathassummarizecountmaxbyproject