OpenAI Logs
Panther supports pulling logs directly from OpenAI
Overview
Panther has the ability to fetch OpenAI audit logs by querying the OpenAI Audit Logs API. Panther queries the Audit Logs API every one minute. In order for Panther to access the API, you need to create a new OpenAI API key with appropriate permissions.
Common OpenAI audit log event types
See a full list of audit log event types here. Common events include:
api_key.createdapi_key.updatedapi_key.deletedproject.createdproject.updatedproject.deleteduser.addeduser.updateduser.deletedservice_account.createdservice_account.updatedservice_account.deleted
How to onboard OpenAI logs to Panther
Prerequisites
You are logged into OpenAI as an organization owner or administrator. This is required to complete Step 1.
Audit logs have been activated in the Data Controls Settings page in OpenAI.
Step 1: Create a new OpenAI API key
In your OpenAI account, navigate to Settings > Organization > API keys.
Click Create new secret key.
Enter a descriptive name for your key, e.g.,
Panther Audit Log Access.Configure the key permissions:
Permissions: Set to Read-only (or ensure the key has read access to audit logs).
Ensure the key has access to the Audit Logs resource.
Copy the API key value and store it in a secure location. You will need it in the next steps.
OpenAI will not display this value again.
Step 2: Find your OpenAI organization ID
In OpenAI, navigate to Settings > Organization.
Locate your Organization ID (format:
org-xxxxxxxxxxxxxxxxxxxxxxxx).Copy this value. You will need it in the next step.
Step 3: Create a new OpenAI source in Panther
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "OpenAI," then click its tile.
On the slide-out panel, click Start Setup.
On the Configuration page, enter a descriptive Name, e.g.,
My OpenAI Audit Logs.The Log Types read-only dropdown will have an
OpenAI.AuditLogsvalue.
Click Setup.
On the Credentials page, fill in the following fields:
Organization ID: Enter the Organization ID you copied in Step 2.
API Key: Enter the API key value you generated in Step 1.
Click Setup.
You will be directed to a verification screen that confirms Panther can successfully connect to the OpenAI API.
You can optionally enable one or more Detection Packs.
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
Custom detection patterns
API key creation monitoring example
Monitor when new API keys are created in your OpenAI organization:
def rule(event):
return event.get('type') == 'api_key.created'
def title(event):
actor_email = event.deep_get('actor', 'user', 'email', default='Unknown')
return f'New OpenAI API key created by {actor_email}'Administrative user changes example
Detect when users are added or their roles are modified:
def rule(event):
event_type = event.get('type', '')
return event_type in ['user.added', 'user.updated']
def severity(event):
# Higher severity for role changes
if event.get('type') == 'user.updated':
return 'MEDIUM'
return 'INFO'Project deletion monitoring example
Alert when projects are deleted:
def rule(event):
return event.get('type') == 'project.deleted'
def alert_context(event):
return {
'actor_email': event.deep_get('actor', 'user', 'email'),
'project_id': event.deep_get('project', 'id'),
'project_name': event.deep_get('project', 'name'),
'timestamp': event.get('effective_at')
}Supported log types
OpenAI.AuditLogs
OpenAI audit logs track administrative and security-related events within your OpenAI organization, including API key management, project changes, user actions, and access control modifications.
Reference: OpenAI Audit Logs API Documentation
schema: OpenAI.AuditLogs
description: |
OpenAI audit logs provide visibility into administrative actions and security events within your OpenAI organization. These logs help track API key usage, project management, and user access control.
referenceURL: https://platform.openai.com/docs/api-reference/audit-logs
fields:
- name: id
required: true
description: Unique identifier for the audit log event
type: string
- name: type
required: true
description: The type of event that occurred
type: string
- name: effective_at
required: true
description: Unix timestamp (in seconds) when the event occurred
type: timestamp
timeFormat: unix
isEventTime: true
- name: actor
description: The entity that performed the action
type: object
fields:
- name: type
description: The type of actor (e.g., user, service_account, system)
type: string
- name: user
description: Details about the user who performed the action
type: object
fields:
- name: id
description: The user's unique identifier
type: string
- name: email
description: The user's email address
type: string
indicators:
- email
- name: service_account
description: Details about the service account that performed the action
type: object
fields:
- name: id
description: The service account's unique identifier
type: string
- name: api_key
description: Details about the API key used to perform the action
type: object
fields:
- name: id
description: The API key's unique identifier
type: string
- name: type
description: The type of API key
type: string
- name: user
description: The user associated with the API key
type: object
fields:
- name: id
description: The user's unique identifier
type: string
- name: email
description: The user's email address
type: string
indicators:
- email
- name: service_account
description: The service account associated with the API key
type: object
fields:
- name: id
description: The service account's unique identifier
type: string
- name: project
description: Details about the project affected by the action
type: object
fields:
- name: id
description: The project's unique identifier
type: string
- name: name
description: The project's name
type: string
- name: api_key
description: Details about the API key affected by the action
type: object
fields:
- name: id
description: The API key's unique identifier
type: string
- name: type
description: The type of API key
type: string
- name: user
description: The user associated with the API key
type: object
fields:
- name: id
description: The user's unique identifier
type: string
- name: email
description: The user's email address
type: string
indicators:
- email
- name: service_account
description: The service account associated with the API key
type: object
fields:
- name: id
description: The service account's unique identifier
type: string
- name: user
description: Details about the user affected by the action
type: object
fields:
- name: id
description: The user's unique identifier
type: string
- name: email
description: The user's email address
type: string
indicators:
- email
- name: role
description: The user's role in the organization
type: string
- name: service_account
description: Details about the service account affected by the action
type: object
fields:
- name: id
description: The service account's unique identifier
type: string
- name: name
description: The service account's name
type: stringLast updated
Was this helpful?