OpenAI - Credential / project sprawl anomaly
Open AI Credential Sprawl Anomaly
Query
let baselineWindow = 14d;
let recentWindow = 1d;
let creators =
OpenAIAuditLogs
| where TimeGenerated between (ago(baselineWindow) .. ago(recentWindow))
| where EventType in (
"api_key.created", "service_account.created",
"project.created", "user.added", "invite.sent")
| extend ActorEmail = tolower(tostring(ActorSession.user.email))
| summarize PriorCreates = count() by ActorEmail;
OpenAIAuditLogs
| where TimeGenerated > ago(recentWindow)
| where EventType in (
"api_key.created", "service_account.created",
"project.created", "user.added", "invite.sent")
| extend
ActorEmail = tolower(tostring(ActorSession.user.email)),
ActorIp = tostring(ActorSession.ip_address)
| summarize
RecentCreates = count(),
Types = make_set(EventType, 10),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by ActorEmail, ActorIp
| join kind=leftouter creators on ActorEmail
| extend PriorCreates = coalesce(PriorCreates, 0)
| where PriorCreates == 0 or RecentCreates >= 3
| project
FirstSeen, LastSeen, ActorEmail, ActorIp,
RecentCreates, PriorCreates, Types
| order by RecentCreates descExplanation
This query is designed to detect unusual activities related to the creation of OpenAI credentials and projects. It looks for two main patterns:
-
New Actor Activity: It identifies events where an actor (a user or service account) creates API keys, service accounts, projects, or adds/invites users, but has no history of such activities in the past 14 days.
-
Burst Activity: It also flags cases where an actor performs three or more of these creation events within a single day.
The query works by first establishing a baseline of actors who have performed these actions in the past 14 days. Then, it examines the last day's activities to find actors who either have no prior history of such actions or have performed them in a burst.
The results include details like the actor's email, IP address, the number of recent and prior creation events, and the types of events they performed. This helps in identifying potential credential sprawl, unauthorized service account creation, or persistence setups after a compromise.
The query is associated with tactics like Persistence and Privilege Escalation, and techniques such as T1098 (Account Manipulation) and T1136 (Create Account). It is tagged for use with Sentinel-As-Code, OpenAI, and AI-related monitoring.
Details

David Alonso
Released: June 8, 2026
Tables
Keywords
Operators
Tactics