Query Details

OpenAI - Organization security configuration change

Open AI Org Config Override

Query

OpenAIAuditLogs
| where EventType has_any (
      "organization.updated", "settings", "logging", "retention",
      "rate_limit", "sso", "scim", "mfa", "domain",
      "role.updated", "member.updated", "owner")
| where EventType !has "login"
| extend
    ActorEmail = tostring(ActorSession.user.email),
    ActorIp = tostring(ActorSession.ip_address),
    ProjectName = tostring(Project.name)
| project
    TimeGenerated, EventType, ActorEmail, ActorIp,
    ProjectName, EventDetails, Id
| order by TimeGenerated desc

Explanation

This query is designed to monitor and detect changes in the security configuration of an OpenAI organization. It focuses on identifying modifications to critical settings such as organization settings, logging and retention policies, Single Sign-On (SSO), System for Cross-domain Identity Management (SCIM), Multi-Factor Authentication (MFA) enforcement, rate limits, and member role changes. These changes are significant because they can be used by attackers with administrative access to maintain persistence and evade defenses.

The query runs every hour and looks back over the past hour to check for relevant events in the OpenAI audit logs. It filters events to exclude login activities and extracts details such as the email and IP address of the actor making the changes, as well as the project name involved. The results are sorted by the time the event was generated.

If any changes are detected, an alert is triggered with a high severity level. The alert is configured to create an incident, and similar incidents can be grouped together based on the account involved. This helps in managing and responding to potential security threats effectively. The query is part of a scheduled task and is tagged for easy identification and categorization within a security monitoring system.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

OpenAIAuditLogs

Keywords

OpenAIOrganizationSecurityConfigurationChangeSettingsLoggingRetentionPolicySSOSCIMMFAEnforcementRateLimitsMemberRoleChangesMicrosoftCopilotAdminConfigSystemPromptOverrideSurfacePersistenceDefenseEvasionPrimitivesAttackerOrgAccessEventTypeAuditLogVersionOpenAIAuditLogsActorEmailIpProjectNameEventDetailsIdAccountAddressSentinelAsCodeCustomAI

Operators

has_any!hasextendtostringprojectorder by

Severity

High

Tactics

DefenseEvasionPersistence

MITRE Techniques

Frequency: PT1H

Period: PT1H

Actions

GitHub