Query Details
Open AI Tool Usage Drift
Query
id: d4e5f6a7-4444-4ddd-9004-0123456789ae
name: OpenAI - New tool / function first use per user
description: |
Builds a 14-day baseline of the tools (function-calling targets)
each OpenAI user invokes per model, then alerts when a tool not seen
in that baseline is used in the last hour. Surfaces capability drift,
newly granted function access, and attacker-introduced tools.
Ported from the Microsoft 365 Copilot "Access drift" and "Abnormal
tool usage" detections, retargeted at the ASimAgentEventLogs ToolName
field. ActorUser is AdditionalFields.input_user; baseline on ModelName
alone if your callers do not set the 'user' parameter.
severity: Medium
requiredDataConnectors:
- connectorId: OpenAI
dataTypes:
- ASimAgentEventLogs
queryFrequency: PT1H
queryPeriod: P14D
triggerOperator: gt
triggerThreshold: 0
enabled: true
tactics:
- Execution
- PrivilegeEscalation
relevantTechniques:
- T1059
- T1098
query: |
let baselineWindow = 14d;
let recentWindow = 1h;
let known =
OpenAIChatCompletions
| where TimeGenerated between (ago(baselineWindow) .. ago(recentWindow))
| where isnotempty(ToolName)
| extend ActorUser = tostring(AdditionalFields.input_user)
| summarize by ModelName, ActorUser, ToolName;
OpenAIChatCompletions
| where TimeGenerated > ago(recentWindow)
| where isnotempty(ToolName)
| extend ActorUser = tostring(AdditionalFields.input_user)
| join kind=leftanti known on ModelName, ActorUser, ToolName
| summarize
FirstSeen = min(TimeGenerated),
Requests = count(),
Models = make_set(ModelName, 10)
by ActorUser, ToolName
| project FirstSeen, ActorUser, ToolName, Requests, Models
| order by FirstSeen desc
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: ActorUser
eventGroupingSettings:
aggregationKind: SingleAlert
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT6H
matchingMethod: Selected
groupByEntities:
- Account
groupByAlertDetails: []
groupByCustomDetails: []
version: 1.0.0
kind: Scheduled
tags:
- Sentinel-As-Code
- Custom
- OpenAI
- AI
Explanation
This KQL query is designed to monitor the usage of tools or functions by OpenAI users over a 14-day period and alert when a new tool, not previously used by a user, is detected in the last hour. Here's a simple breakdown of what the query does:
-
Baseline Creation: It establishes a 14-day baseline of tools (or function-calling targets) that each OpenAI user has used per model. This is done by looking at the
ASimAgentEventLogsdata and recording which tools each user has interacted with. -
Recent Activity Monitoring: It then checks the tool usage in the last hour to identify any tools that were not part of the 14-day baseline.
-
Alert Generation: If a new tool is detected (one that wasn't used in the past 14 days by a specific user), it generates an alert. This helps in identifying:
- Capability drift (changes in what tools are being used).
- Newly granted access to functions.
- Potentially malicious tools introduced by attackers.
-
Severity and Tactics: The alert is categorized with a medium severity level and is associated with tactics like Execution and Privilege Escalation, which are common in cybersecurity contexts.
-
Entity Mapping and Incident Configuration: The query maps the user account involved and is configured to create incidents when such anomalies are detected. It groups alerts by user account and has settings to manage how incidents are reopened or grouped.
-
Operational Details: The query runs every hour (
queryFrequency: PT1H) and looks back over a 14-day period (queryPeriod: P14D). It is enabled and actively monitors for these conditions.
Overall, this query is a proactive measure to detect unusual tool usage patterns that could indicate security issues or changes in user behavior.
Details
David Alonso
Released: June 8, 2026
Tables
Keywords
Operators