OpenAI - Off-hours or anomalous-geo org login
Open AI Off Hours Or Geo Anomaly
Query
let lookback = 30d;
let recentWindow = 1d;
let usual =
OpenAIAuditLogs
| where TimeGenerated between (ago(lookback) .. ago(recentWindow))
| where EventType startswith "login"
| extend
ActorEmail = tolower(tostring(ActorSession.user.email)),
Country = tostring(geo_info_from_ip_address(tostring(ActorSession.ip_address)).country)
| summarize
UsualHours = make_set(hourofday(TimeGenerated), 24),
UsualCountries = make_set(Country, 50)
by ActorEmail;
OpenAIAuditLogs
| where TimeGenerated > ago(recentWindow)
| where EventType startswith "login"
| extend
ActorEmail = tolower(tostring(ActorSession.user.email)),
ActorIp = tostring(ActorSession.ip_address),
Hour = hourofday(TimeGenerated)
| extend Country = tostring(geo_info_from_ip_address(ActorIp).country)
| join kind=leftouter usual on ActorEmail
| extend
OffHours = isnotnull(UsualHours) and not(set_has_element(UsualHours, Hour)),
AnomalousGeo = isnotempty(Country) and isnotnull(UsualCountries)
and not(set_has_element(UsualCountries, Country))
| where OffHours or AnomalousGeo
| project
TimeGenerated, ActorEmail, ActorIp, Country, Hour,
OffHours, AnomalousGeo, UsualCountries
| order by TimeGenerated descExplanation
This query is designed to detect potentially suspicious login activities for an OpenAI organization. It identifies logins that occur either outside of a user's typical working hours or from a country that the user hasn't logged in from in the past 30 days. This could indicate session theft, misuse of API keys, or impersonation from a different location.
Here's a simplified breakdown of what the query does:
-
Lookback Period: It examines login data from the past 30 days to establish a baseline of usual login times and countries for each user.
-
Recent Logins: It then looks at logins from the last day to identify any that are unusual.
-
Usual Patterns: For each user, it determines their typical login hours and countries based on the past 30 days of data.
-
Anomalies Detection: It checks if recent logins fall outside these usual patterns, either by occurring at unusual hours or from unfamiliar countries.
-
Results: The query outputs details of these potentially suspicious logins, including the time, user's email, IP address, country, and whether the login was at an unusual time or from an unusual location.
The query is tagged with tactics and techniques related to initial access and defense evasion, indicating its relevance in identifying unauthorized access attempts.
Details

David Alonso
Released: June 8, 2026
Tables
Keywords
Operators
Tactics