Skip to content

[New Integration] OpenAI Compliance API #19399

Description

@jamiehynds

Description

The OpenAI integration today covers API-Platform telemetry (Usage, Rate Limits, org Audit Logs). It does not cover the ChatGPT Enterprise workspace plane — end-user and admin activity inside a ChatGPT Enterprise/Edu workspace — which is where the security value for SOC teams sits.

SOC use cases

  • AI account takeover — login anomalies, impossible travel, anomalous geo on accounts holding corporate data.
  • Control tampering — SCIM disabled, IP allowlist removed, audit logging off, role escalation, rogue keys/service accounts.
  • Shadow AI & insider risk — custom GPT/agent sprawl, over-permissive sharing, Codex/GitHub connections, abnormal file activity.

Scope

Collect the following from the Compliance Logs Platform, ECS-aligned, with detection rules and a security dashboard:

  • User Authentication (AUTH_LOG) — login/logout success & failure with IP, geo, user agent, JA3/JA4.
  • Admin Audit — role/permission changes, SCIM, IP allowlist, API-key/service-account lifecycle, org/config changes.
  • GPT/agent configuration — creation, sharing scope, external tool connections.
  • Codex usage events.
  • File upload metadata — filename, size, type, user, conversation ref (metadata only, not contents).
  • Workspace user lifecycle (also useful for identity enrichment).

Open questions

Metadata

Metadata

Assignees

No one assigned

    Labels

    9.5 candidateEpicNew IntegrationIssue or pull request for creating a new integration package.Team:Security-Service IntegrationsSecurity Service Integrations team [elastic/security-service-integrations]

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions