Description
The OpenAI integration today covers API-Platform telemetry (Usage, Rate Limits, org Audit Logs). It does not cover the ChatGPT Enterprise workspace plane — end-user and admin activity inside a ChatGPT Enterprise/Edu workspace — which is where the security value for SOC teams sits.
SOC use cases
- AI account takeover — login anomalies, impossible travel, anomalous geo on accounts holding corporate data.
- Control tampering — SCIM disabled, IP allowlist removed, audit logging off, role escalation, rogue keys/service accounts.
- Shadow AI & insider risk — custom GPT/agent sprawl, over-permissive sharing, Codex/GitHub connections, abnormal file activity.
Scope
Collect the following from the Compliance Logs Platform, ECS-aligned, with detection rules and a security dashboard:
- User Authentication (
AUTH_LOG) — login/logout success & failure with IP, geo, user agent, JA3/JA4.
- Admin Audit — role/permission changes, SCIM, IP allowlist, API-key/service-account lifecycle, org/config changes.
- GPT/agent configuration — creation, sharing scope, external tool connections.
- Codex usage events.
- File upload metadata — filename, size, type, user, conversation ref (metadata only, not contents).
- Workspace user lifecycle (also useful for identity enrichment).
Open questions
Description
The OpenAI integration today covers API-Platform telemetry (Usage, Rate Limits, org Audit Logs). It does not cover the ChatGPT Enterprise workspace plane — end-user and admin activity inside a ChatGPT Enterprise/Edu workspace — which is where the security value for SOC teams sits.
SOC use cases
Scope
Collect the following from the Compliance Logs Platform, ECS-aligned, with detection rules and a security dashboard:
AUTH_LOG) — login/logout success & failure with IP, geo, user agent, JA3/JA4.Open questions