OpenAI - Privileged config change followed by abuse signal
Open AI Config To Abuse Chain
Query
let window = 1d;
let configChanges =
OpenAIAuditLogs
| where TimeGenerated > ago(window)
| where EventType has_any (
"settings", "organization.updated", "logging", "retention",
"role", "user.added", "invite", "service_account.created",
"api_key.created", "project.created")
| extend ActorEmail = tolower(tostring(ActorSession.user.email))
| where isnotempty(ActorEmail)
| project
ConfigTime = TimeGenerated, ConfigEvent = EventType,
ActorEmail, ConfigIp = tostring(ActorSession.ip_address);
let abuseSignals =
OpenAIChatCompletions
| where TimeGenerated > ago(window)
| where EventFinishReasons has_any ("content_filter", "length")
or array_length(EventFinishReasons) == 0
| extend ActorUser = tolower(tostring(AdditionalFields.input_user))
| where isnotempty(ActorUser)
| project
AbuseTime = TimeGenerated, ActorUser, ModelName,
EventFinishReasons, EventRequestId;
configChanges
| join kind=inner abuseSignals on $left.ActorEmail == $right.ActorUser
| where AbuseTime between (ConfigTime .. ConfigTime + 24h)
| project
ConfigTime, ConfigEvent, ActorEmail, ConfigIp,
AbuseTime, ModelName, EventFinishReasons, EventRequestId
| order by ConfigTime descExplanation
This query is designed to detect suspicious activity related to OpenAI configurations and usage. Here's a simplified explanation:
-
Purpose: The query aims to identify cases where a privileged configuration change (like changes in organization settings, roles, or creation of keys and projects) is followed by potentially abusive actions by the same user within 24 hours.
-
Data Sources: It uses data from OpenAI audit logs and chat completion logs to track configuration changes and subsequent model requests.
-
Process:
- It looks for configuration changes made by users, capturing details like the time of change, type of event, user email, and IP address.
- It also monitors for model requests that trigger abuse signals, such as hitting a content filter, being truncated for length, or having no finish reason.
- The query then matches these configuration changes with abuse signals based on the user's email.
-
Timeframe: The query checks for these activities within a 24-hour window.
-
Alert Generation: If such a pattern is detected, an alert is generated with high severity, indicating potential persistence, defense evasion, or execution tactics.
-
Incident Management: The query is set to create incidents in the system, grouping alerts by user account for better incident management.
-
Customization: The query can be adjusted to fit specific tenant configurations, especially regarding how user identities are mapped.
Overall, this query helps in identifying and responding to potential security threats by correlating configuration changes with suspicious usage patterns.
Details

David Alonso
Released: June 8, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT1H
Period: P1D