Query Details

OpenAI - Credential / project sprawl anomaly

Open AI Credential Sprawl Anomaly

Query

let baselineWindow = 14d;
let recentWindow = 1d;
let creators =
    OpenAIAuditLogs
    | where TimeGenerated between (ago(baselineWindow) .. ago(recentWindow))
    | where EventType in (
          "api_key.created", "service_account.created",
          "project.created", "user.added", "invite.sent")
    | extend ActorEmail = tolower(tostring(ActorSession.user.email))
    | summarize PriorCreates = count() by ActorEmail;
OpenAIAuditLogs
| where TimeGenerated > ago(recentWindow)
| where EventType in (
      "api_key.created", "service_account.created",
      "project.created", "user.added", "invite.sent")
| extend
    ActorEmail = tolower(tostring(ActorSession.user.email)),
    ActorIp = tostring(ActorSession.ip_address)
| summarize
    RecentCreates = count(),
    Types = make_set(EventType, 10),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
    by ActorEmail, ActorIp
| join kind=leftouter creators on ActorEmail
| extend PriorCreates = coalesce(PriorCreates, 0)
| where PriorCreates == 0 or RecentCreates >= 3
| project
    FirstSeen, LastSeen, ActorEmail, ActorIp,
    RecentCreates, PriorCreates, Types
| order by RecentCreates desc

Explanation

This query is designed to detect unusual activities related to the creation of OpenAI credentials and projects. It looks for two main patterns:

  1. New Actor Activity: It identifies events where an actor (a user or service account) creates API keys, service accounts, projects, or adds/invites users, but has no history of such activities in the past 14 days.

  2. Burst Activity: It also flags cases where an actor performs three or more of these creation events within a single day.

The query works by first establishing a baseline of actors who have performed these actions in the past 14 days. Then, it examines the last day's activities to find actors who either have no prior history of such actions or have performed them in a burst.

The results include details like the actor's email, IP address, the number of recent and prior creation events, and the types of events they performed. This helps in identifying potential credential sprawl, unauthorized service account creation, or persistence setups after a compromise.

The query is associated with tactics like Persistence and Privilege Escalation, and techniques such as T1098 (Account Manipulation) and T1136 (Create Account). It is tagged for use with Sentinel-As-Code, OpenAI, and AI-related monitoring.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

OpenAIAuditLogs

Keywords

OpenAIAuditLogsActorEmailActorIpEventTypeTimeGeneratedActorSessionUserEmailIpAddressApiKeyServiceAccountProjectInvite

Operators

letbetweenagointolowertostringsummarizebyextendcountmake_setminmaxjoinkindcoalescewhereprojectorder by

Tactics

PersistencePrivilegeEscalation

MITRE Techniques

Actions

GitHub