KQL Search

Query Details

Open AI Off Hours Or Geo Anomaly

Query

id: f6a7b8c9-6666-4fff-9006-0123456789b0
name: OpenAI - Off-hours or anomalous-geo org login
description: |
  Hunts for OpenAI organization logins that occur outside the actor's
  normal business hours or from a country the actor has not used in the
  last 30 days. Common indicator of session theft, API-key abuse, or
  geographically displaced impersonation.

  Ported from the Microsoft 365 Copilot "Off-hours or anomalous-geo"
  hunt. The OpenAI audit log carries the source IP in
  ActorSession.ip_address; country is derived with
  geo_info_from_ip_address(). The baseline is built from the same
  OpenAIAuditLogs login stream rather than SigninLogs.
query: |
  let lookback = 30d;
  let recentWindow = 1d;
  let usual =
      OpenAIAuditLogs
      | where TimeGenerated between (ago(lookback) .. ago(recentWindow))
      | where EventType startswith "login"
      | extend
          ActorEmail = tolower(tostring(ActorSession.user.email)),
          Country = tostring(geo_info_from_ip_address(tostring(ActorSession.ip_address)).country)
      | summarize
          UsualHours = make_set(hourofday(TimeGenerated), 24),
          UsualCountries = make_set(Country, 50)
          by ActorEmail;
  OpenAIAuditLogs
  | where TimeGenerated > ago(recentWindow)
  | where EventType startswith "login"
  | extend
      ActorEmail = tolower(tostring(ActorSession.user.email)),
      ActorIp = tostring(ActorSession.ip_address),
      Hour = hourofday(TimeGenerated)
  | extend Country = tostring(geo_info_from_ip_address(ActorIp).country)
  | join kind=leftouter usual on ActorEmail
  | extend
      OffHours = isnotnull(UsualHours) and not(set_has_element(UsualHours, Hour)),
      AnomalousGeo = isnotempty(Country) and isnotnull(UsualCountries)
                     and not(set_has_element(UsualCountries, Country))
  | where OffHours or AnomalousGeo
  | project
      TimeGenerated, ActorEmail, ActorIp, Country, Hour,
      OffHours, AnomalousGeo, UsualCountries
  | order by TimeGenerated desc
tactics:
  - InitialAccess
  - DefenseEvasion
techniques:
  - T1078
  - T1078.004
tags:
  - Sentinel-As-Code
  - Custom
  - OpenAI
  - AI

Explanation

This query is designed to detect potentially suspicious login activities for an OpenAI organization. It identifies logins that occur either outside of a user's typical working hours or from a country that the user hasn't logged in from in the past 30 days. This could indicate session theft, misuse of API keys, or impersonation from a different location.

Here's a simplified breakdown of what the query does:

  1. Lookback Period: It examines login data from the past 30 days to establish a baseline of usual login times and countries for each user.

  2. Recent Logins: It then looks at logins from the last day to identify any that are unusual.

  3. Usual Patterns: For each user, it determines their typical login hours and countries based on the past 30 days of data.

  4. Anomalies Detection: It checks if recent logins fall outside these usual patterns, either by occurring at unusual hours or from unfamiliar countries.

  5. Results: The query outputs details of these potentially suspicious logins, including the time, user's email, IP address, country, and whether the login was at an unusual time or from an unusual location.

The query is tagged with tactics and techniques related to initial access and defense evasion, indicating its relevance in identifying unauthorized access attempts.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

OpenAIAuditLogs

Keywords

OpenAIAuditLogsActorSessionUserEmailIpAddressCountryTimeGeneratedEventTypeActorEmailActorIpHourUsualHoursUsualCountriesOffHoursAnomalousGeo

Operators

letbetweenagostartswithtolowertostringgeo_info_from_ip_addresssummarizemake_setbyextendjoinkindleftouterisnotnullset_has_elementisnotemptyorprojectorder bydesc

Actions