KQL Search

Query Details

Open AI Sensitive Tool Invocation

Query

id: 29daeb0c-9999-4c3c-9009-0123456789b3
name: OpenAI - Sensitive tool / function invocation
description: |
  Detects OpenAI API requests that invoke a function-calling tool listed
  in the AzureAI_SensitiveTools watchlist (e.g. send_email, run_powershell,
  graph.write, delete_*). High-signal detection for excessive autonomy and
  post-jailbreak action, complementary to OpenAIToolUsageDrift (which flags
  the first use of any new tool rather than a known-dangerous one).

  Ported from the AzureAI-ThreatHunting "Sensitive tool invocation" rule
  (R09), retargeted from AppTraces gen_ai.tool.name to the
  ASimAgentEventLogs ToolName field. The two packs deliberately share the
  AzureAI_SensitiveTools watchlist so the high-risk tool list is maintained
  in one place across the AI estate.

  ActorUser is AdditionalFields.input_user (the OpenAI 'user' request
  parameter); it is empty when callers do not set it - the tool match still
  fires, the per-user grouping just collapses.
severity: High
requiredDataConnectors:
- connectorId: OpenAI
  dataTypes:
  - ASimAgentEventLogs
queryFrequency: PT15M
queryPeriod: PT15M
triggerOperator: gt
triggerThreshold: 0
enabled: true
tactics:
- Execution
- Impact
relevantTechniques:
- T1059
query: |
  let sensitiveTools = dynamic([
      "code_interpreter", "python", "shell", "bash", "cmd", "powershell",
      "exec", "os", "subprocess", "http", "requests", "fetch", "curl",
      "browser", "sql", "database", "query", "email", "sendmail", "smtp",
      "file", "filesystem", "read_file", "write_file", "delete", "secrets",
      "keyvault", "credentials", "ssh", "rdp", "admin"
  ]);
  OpenAIChatCompletions
  | where TimeGenerated > ago(15m)
  | where isnotempty(ToolName)
  | extend
      Tool = tolower(tostring(ToolName)),
      ActorUser = tostring(AdditionalFields.input_user)
  | where Tool has_any (sensitiveTools)
  | summarize
      Hits = count(),
      Models = make_set(ModelName, 10),
      Requests = make_set(EventRequestId, 5),
      FirstSeen = min(TimeGenerated),
      LastSeen = max(TimeGenerated)
      by ActorUser, Tool
  | project
      FirstSeen, LastSeen, ActorUser, Tool, Hits, Models, Requests
  | order by Hits desc
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: ActorUser
- entityType: CloudApplication
  fieldMappings:
  - identifier: Name
    columnName: Tool
eventGroupingSettings:
  aggregationKind: SingleAlert
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: Selected
    groupByEntities:
    - Account
    groupByAlertDetails: []
    groupByCustomDetails: []
version: 1.0.0
kind: Scheduled
tags:
- Sentinel-As-Code
- Custom
- OpenAI
- AI

Explanation

This query is designed to monitor and detect potentially risky actions involving the OpenAI API. Here's a simplified breakdown:

  1. Purpose: The query identifies OpenAI API requests that use certain sensitive tools or functions, which are considered high-risk. These tools are listed in a watchlist called AzureAI_SensitiveTools.

  2. Context: It's part of a security measure to detect excessive autonomy or actions that might occur after a security breach (post-jailbreak). It complements another rule that flags the first use of any new tool.

  3. Data Source: The query looks at logs from OpenAI API interactions, specifically focusing on the ToolName field in the ASimAgentEventLogs.

  4. Sensitive Tools: The query checks for the use of tools like "powershell", "email", "sql", and others that could be used for executing commands, accessing files, or sending emails.

  5. Detection Logic:

    • It filters logs from the last 15 minutes.
    • It checks if any of the sensitive tools were used.
    • It counts how many times each tool was used and gathers related information like the models used and request IDs.
    • It organizes the data by user and tool, showing when the tool was first and last seen in use.

  6. Severity and Response: The severity of this detection is marked as high. If any such activity is detected, an incident is created for further investigation.

  7. Entity Mapping: The query maps detected activities to user accounts and cloud applications for better tracking and response.

  8. Alert Management: Alerts are grouped by user accounts, and incidents are created if necessary, but they won't reopen closed incidents.

Overall, this query helps in identifying and responding to potentially dangerous uses of the OpenAI API, ensuring that any misuse is quickly flagged and investigated.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

OpenAIChatCompletions

Keywords

OpenAIAzureAIASimAgentEventLogsToolNameActorUserToolModelsRequestsAccountCloudApplication

Operators

letdynamicwhereisnotemptyextendtolowertostringhas_anysummarizecountmake_setminmaxbyprojectorder bydesc

Actions