KQL Search

Query Details

Open AI Credential Sprawl Anomaly

Query

id: 07b8c9da-7777-4a1a-9007-0123456789b1
name: OpenAI - Credential / project sprawl anomaly
description: |
  Hunts for OpenAI credential and tenancy creation events (API keys,
  service accounts, projects, member invites / additions) performed by
  an actor with no creation history in the prior 14 days, or at a burst
  rate of three or more in the last day. Surfaces credential sprawl,
  rogue service-account minting, and post-compromise persistence setup.

  Ported from the Microsoft 365 Copilot "Plugin install anomaly" hunt,
  retargeted from plugin/connector installs to the OpenAI credential
  surface in OpenAIAuditLogs.
query: |
  let baselineWindow = 14d;
  let recentWindow = 1d;
  let creators =
      OpenAIAuditLogs
      | where TimeGenerated between (ago(baselineWindow) .. ago(recentWindow))
      | where EventType in (
            "api_key.created", "service_account.created",
            "project.created", "user.added", "invite.sent")
      | extend ActorEmail = tolower(tostring(ActorSession.user.email))
      | summarize PriorCreates = count() by ActorEmail;
  OpenAIAuditLogs
  | where TimeGenerated > ago(recentWindow)
  | where EventType in (
        "api_key.created", "service_account.created",
        "project.created", "user.added", "invite.sent")
  | extend
      ActorEmail = tolower(tostring(ActorSession.user.email)),
      ActorIp = tostring(ActorSession.ip_address)
  | summarize
      RecentCreates = count(),
      Types = make_set(EventType, 10),
      FirstSeen = min(TimeGenerated),
      LastSeen = max(TimeGenerated)
      by ActorEmail, ActorIp
  | join kind=leftouter creators on ActorEmail
  | extend PriorCreates = coalesce(PriorCreates, 0)
  | where PriorCreates == 0 or RecentCreates >= 3
  | project
      FirstSeen, LastSeen, ActorEmail, ActorIp,
      RecentCreates, PriorCreates, Types
  | order by RecentCreates desc
tactics:
  - Persistence
  - PrivilegeEscalation
techniques:
  - T1098
  - T1136
tags:
  - Sentinel-As-Code
  - Custom
  - OpenAI
  - AI

Explanation

This query is designed to detect unusual activities related to the creation of OpenAI credentials and projects. It looks for two main patterns:

  1. New Actor Activity: It identifies events where an actor (a user or service account) creates API keys, service accounts, projects, or adds/invites users, but has no history of such activities in the past 14 days.

  2. Burst Activity: It also flags cases where an actor performs three or more of these creation events within a single day.

The query works by first establishing a baseline of actors who have performed these actions in the past 14 days. Then, it examines the last day's activities to find actors who either have no prior history of such actions or have performed them in a burst.

The results include details like the actor's email, IP address, the number of recent and prior creation events, and the types of events they performed. This helps in identifying potential credential sprawl, unauthorized service account creation, or persistence setups after a compromise.

The query is associated with tactics like Persistence and Privilege Escalation, and techniques such as T1098 (Account Manipulation) and T1136 (Create Account). It is tagged for use with Sentinel-As-Code, OpenAI, and AI-related monitoring.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

OpenAIAuditLogs

Keywords

OpenAIAuditLogsActorEmailActorIpEventTypeTimeGeneratedActorSessionUserEmailIpAddressApiKeyServiceAccountProjectUserInvite

Operators

letbetweenagointolowertostringsummarizebyextendcountmake_setminmaxjoinkindcoalescewhereprojectorder by

Actions