Query Details
The Hunt For Top 10 Self Hosted AI
Query
// The Hunt for Top 10 Self Hosted AI // https://www.wiz.io/state-of-ai-in-the-cloud let Top10AIModels = dynamic(["BERT","DistilBERT","RoBERTa","T5","Llama","MPNet","GPT-2", "XLM-RoBERTa","CLIP","BART","Mistral","DeBERTa-v2","Qwen2"]); let LLM_ModelName = ExposureGraphNodes | where NodeLabel == "baseModel" | extend ModelName = parse_json(NodeProperties)["rawData"]["aiModelMetadata"]["modelName"] | where ModelName has_any(Top10AIModels) | project ModelName; DeviceFileEvents | where Timestamp > ago (30d) | where InitiatingProcessVersionInfoFileDescription has_any (LLM_ModelName) or InitiatingProcessFolderPath has_any (LLM_ModelName) or InitiatingProcessFileName has_any (LLM_ModelName) or InitiatingProcessVersionInfoFileDescription has_any (Top10AIModels) or InitiatingProcessFolderPath has_any (Top10AIModels) or InitiatingProcessFileName has_any (Top10AIModels)
Explanation
This query is designed to identify and track the usage of specific AI models, particularly those that are self-hosted, within a network over the past 30 days. Here's a simplified breakdown:
-
Define Top AI Models: It starts by defining a list of top AI models (like BERT, GPT-2, etc.) that are of interest.
-
Extract Model Names: It then looks into a dataset called
ExposureGraphNodesto find nodes labeled as "baseModel". From these nodes, it extracts the model names that match any of the top AI models listed. -
Track File Events: The query then examines another dataset,
DeviceFileEvents, to find any file events within the last 30 days that are associated with these AI models. It checks various attributes like file descriptions, folder paths, and file names to see if they contain any of the top AI model names.
In essence, the query is hunting for any activity related to the top 10 self-hosted AI models within the last month, by analyzing file events and processes on devices.
Details
Steven Lim
Released: February 15, 2025
Tables
Keywords
Operators