Data Source

New Microsoft Sentinel solution for ingesting OpenAI telemetry through REST API polling. Covers two distinct data streams: organizational audit events and chat completion metadata from OpenAI platform.

Ingestion Mechanism

CCF-based connector with dual REST API pollers:

  • Audit logs: Organization-level admin API key required, populates OpenAIAuditLogs_CL table
  • Chat completions: Project-level API key required, populates OpenAIChatCompletions_CL table

Both streams use 5-minute query windows with 5 QPS rate limiting and support independent configuration.

Detection Surface Unlocked

Audit Log Visibility:

  • API key lifecycle events (creation, updates, deletion)
  • Organization configuration changes
  • User administrative actions
  • Security-relevant organization events

Chat Completion Monitoring:

  • Model usage patterns and token consumption
  • Request metadata and performance metrics
  • Only captures completions stored with store: true parameter

Security Impact

Establishes visibility into AI platform governance and usage patterns. Audit logs enable detection of unauthorized API key management and organizational security events. Chat completion data supports usage monitoring and potential data exfiltration detection through abnormal token consumption patterns.

Note: Audit logging must be enabled in OpenAI organization settings before deployment and cannot be disabled without contacting OpenAI support.

Affected Files

Logos/OpenAI.svg
Solutions/OpenAI/Data Connectors/OpenAI_CCP/OpenAIAuditLogs_Table.json
Solutions/OpenAI/Data Connectors/OpenAI_CCP/OpenAIChatCompletions_Table.json
Solutions/OpenAI/Data Connectors/OpenAI_CCP/OpenAI_ConnectorDefinition.json
Solutions/OpenAI/Data Connectors/OpenAI_CCP/OpenAI_DCR.json
Solutions/OpenAI/Data Connectors/OpenAI_CCP/OpenAI_PollingConfig.json
Solutions/OpenAI/Package/testParameters.json
Solutions/OpenAI/Parsers/parser_OpenAIAuditLogsAliasFunction.json
Solutions/OpenAI/Parsers/parser_OpenAIChatCompletionsAliasFunction.json
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_OpenAI.json, createUiDefinition.json, mainTemplate.json)