Rules (XIF)
[MODEL: dataset="openai_admin_audit_raw"]
// OpenAI Organization Admin Audit Logs -> XDM
// Supports two stories:
// * Authentication (AUTH) -> login.* events
// * SaaS Audit -> all non-login admin/audit events (api_key.*, organization.*, etc.)
alter
xdm.event.type = if(type ~= "^login\.", "authentication", "saas audit"),
xdm.event.original_event_type = type,
xdm.event.outcome = if(
type ~= "\.succeeded$", XDM_CONST.OUTCOME_SUCCESS,
type ~= "\.failed$", XDM_CONST.OUTCOME_FAILED,
XDM_CONST.OUTCOME_SUCCESS),
xdm.event.outcome_reason = if(
type in ("login.succeeded", "logout.succeeded"), null,
coalesce(
json_extract_scalar(login, "$.failed.error_code"),
json_extract_scalar(logout, "$.failed.error_code"))),
xdm.source.user.upn = json_extract_scalar(actor, "$.session.user.email"),
xdm.source.user.identifier = if(type ~= "^login\.",
json_extract_scalar(actor, "$.session.user.id"),
coalesce(
json_extract_scalar(actor, "$.session.user.id"),
json_extract_scalar(actor, "$.api_key.user.id"),
json_extract_scalar(actor, "$.api_key.service_account.id"))),
xdm.source.user.username = if(type ~= "^login\.",
json_extract_scalar(actor, "$.session.user.email"),
coalesce(
json_extract_scalar(actor, "$.session.user.email"),
json_extract_scalar(actor, "$.api_key.user.email"))),
xdm.source.user.identity_type = if(type ~= "^login\.", null,
if(json_extract_scalar(actor, "$.type") = "session"
or (json_extract_scalar(actor, "$.type") = "api_key" and json_extract_scalar(actor, "$.api_key.type") = "user"),
XDM_CONST.IDENTITY_TYPE_USER,
XDM_CONST.IDENTITY_TYPE_APPLICATION)),
xdm.source.ipv4 = json_extract_scalar(actor, "$.session.ip_address"),
xdm.source.user_agent = json_extract_scalar(actor, "$.session.user_agent"),
xdm.source.port = to_integer(0),
xdm.target.ipv4 = "",
xdm.target.port = to_integer(0),
xdm.network.ip_protocol = XDM_CONST.IP_PROTOCOL_TCP,
xdm.event.operation = if(type ~= "^login\.", XDM_CONST.OPERATION_TYPE_AUTH_LOGIN, null),
xdm.auth.service = "SP",
xdm.event.tags = if(type ~= "^login\.", arraycreate(XDM_CONST.EVENT_TAG_AUTHENTICATION), null),
xdm.source.location.country = json_extract_scalar(actor, "$.session.ip_address_details.country"),
xdm.source.location.city = json_extract_scalar(actor, "$.session.ip_address_details.city"),
xdm.source.location.region = json_extract_scalar(actor, "$.session.ip_address_details.region"),
xdm.source.location.latitude = to_float(json_extract_scalar(actor, "$.session.ip_address_details.latitude")),
xdm.source.location.longitude = to_float(json_extract_scalar(actor, "$.session.ip_address_details.longitude")),
xdm.observer.type = "OpenAI API Platform",
xdm.observer.sub_type = "Audit Logs",
xdm.target.resource.id = if(
type in ("login.succeeded", "login.failed", "logout.succeeded", "logout.failed",
"resource.deleted", "tunnel.created", "tunnel.updated", "tunnel.deleted",
"ip_allowlist.config.activated", "ip_allowlist.config.deactivated",
"certificates.activated", "certificates.deactivated"), null,
type = "api_key.created", json_extract_scalar(api_key_created, "$.id"),
type = "api_key.updated", json_extract_scalar(api_key_updated, "$.id"),
type = "api_key.deleted", json_extract_scalar(api_key_deleted, "$.id"),
type = "invite.sent", json_extract_scalar(invite_sent, "$.id"),
type = "invite.accepted", json_extract_scalar(invite_accepted, "$.id"),
type = "invite.deleted", json_extract_scalar(invite_deleted, "$.id"),
type = "user.added", json_extract_scalar(user_added, "$.id"),
type = "user.updated", json_extract_scalar(user_updated, "$.id"),
type = "user.deleted", json_extract_scalar(user_deleted, "$.id"),
type = "project.created", json_extract_scalar(project_created, "$.id"),
type = "project.updated", json_extract_scalar(project_updated, "$.id"),
type = "project.archived", json_extract_scalar(project_archived, "$.id"),
type = "service_account.created", json_extract_scalar(service_account_created, "$.id"),
type = "service_account.updated", json_extract_scalar(service_account_updated, "$.id"),
type = "service_account.deleted", json_extract_scalar(service_account_deleted, "$.id"),
type = "role.created", json_extract_scalar(role_created, "$.id"),
type = "role.updated", json_extract_scalar(role_updated, "$.id"),
type = "group.created", json_extract_scalar(group_created, "$.id"),
type = "group.updated", json_extract_scalar(group_updated, "$.id"),
type = "certificate.created", json_extract_scalar(certificate_created, "$.id"),
type = "certificate.updated", json_extract_scalar(certificate_updated, "$.id"),
type = "certificate.deleted", json_extract_scalar(certificate_deleted, "$.id"),
type = "organization.updated", json_extract_scalar(organization_updated, "$.id"),
null),
xdm.target.resource.name = if(
type not in ("certificate.created", "certificate.updated", "certificate.deleted",
"ip_allowlist.created", "ip_allowlist.deleted",
"role.created", "role.updated", "group.created", "group.updated",
"invite.sent", "project.created", "organization.updated"), null,
type = "certificate.created", json_extract_scalar(certificate_created, "$.name"),
type = "certificate.updated", json_extract_scalar(certificate_updated, "$.name"),
type = "certificate.deleted", json_extract_scalar(certificate_deleted, "$.name"),
type = "ip_allowlist.created", json_extract_scalar(ip_allowlist_created, "$.name"),
type = "ip_allowlist.deleted", json_extract_scalar(ip_allowlist_deleted, "$.name"),
type = "role.created", json_extract_scalar(role_created, "$.role_name"),
type = "role.updated", json_extract_scalar(role_updated, "$.changes_requested.role_name"),
type = "group.created", json_extract_scalar(group_created, "$.data.group_name"),
type = "group.updated", json_extract_scalar(group_updated, "$.changes_requested.group_name"),
type = "invite.sent", json_extract_scalar(invite_sent, "$.data.email"),
type = "project.created", json_extract_scalar(project_created, "$.data.name"),
coalesce(
json_extract_scalar(organization_updated, "$.changes_requested.name"),
json_extract_scalar(organization_updated, "$.changes_requested.title")));
[MODEL: dataset="openai_chatgpt_compliance_raw"]
// OpenAI ChatGPT Enterprise Compliance API Logs -> XDM
// Primary story: SaaS Audit - admin/workspace audit activity.
// Authentication (AUTH): only INVITE_ACCEPT carries a real user identity/auth-relevant.
alter
xdm.event.type = if(action = "INVITE_ACCEPT", "authentication", "saas audit"),
xdm.event.original_event_type = action,
xdm.event.outcome = if(
action_result = "SUCCESS", XDM_CONST.OUTCOME_SUCCESS,
action_result in("ERROR", "BLOCKED"), XDM_CONST.OUTCOME_FAILED,
action_result = null, null,
XDM_CONST.OUTCOME_FAILED),
xdm.event.outcome_reason = if(
action_result = "BLOCKED", "auth_policy_access_violation",
action_result = "ERROR", "OTHER",
"NOT_SPECIFIED"),
xdm.source.user.identifier = coalesce(
json_extract_scalar(actor, "$.user_id"),
json_extract_scalar(actor, "$.redacted_id")),
xdm.source.user.upn = json_extract_scalar(actor, "$.user_email"),
xdm.source.user.username = json_extract_scalar(actor, "$.user_email"),
xdm.source.user.user_type = if(
json_extract_scalar(actor, "$.type") = "ACCOUNT_USER", XDM_CONST.USER_TYPE_REGULAR,
json_extract_scalar(actor, "$.type") = "API_KEY", XDM_CONST.USER_TYPE_SERVICE_ACCOUNT,
null),
xdm.auth.privilege_level = if(
action_privilege = "ADMIN", XDM_CONST.PRIVILEGE_LEVEL_ADMIN,
action_privilege = "STANDARD_USER", XDM_CONST.PRIVILEGE_LEVEL_USER,
null),
xdm.source.ipv4 = json_extract_scalar(request_metadata, "$.client_ip"),
xdm.source.user_agent = json_extract_scalar(request_metadata, "$.client_user_agent"),
xdm.source.port = to_integer(0),
xdm.target.ipv4 = "",
xdm.target.port = to_integer(0),
xdm.network.ip_protocol = XDM_CONST.IP_PROTOCOL_TCP,
xdm.event.operation = if(action = "INVITE_ACCEPT", XDM_CONST.OPERATION_TYPE_AUTH_LOGIN, null),
xdm.auth.service = "SP",
xdm.event.tags = if(action = "INVITE_ACCEPT", arraycreate(XDM_CONST.EVENT_TAG_AUTHENTICATION), null),
xdm.source.location.country = json_extract_scalar(request_metadata, "$.client_ip_details.country"),
xdm.source.location.city = json_extract_scalar(request_metadata, "$.client_ip_details.city"),
xdm.source.location.region = json_extract_scalar(request_metadata, "$.client_ip_details.region"),
xdm.source.location.latitude = to_float(json_extract_scalar(request_metadata, "$.client_ip_details.latitude")),
xdm.source.location.longitude = to_float(json_extract_scalar(request_metadata, "$.client_ip_details.longitude")),
xdm.observer.type = "OpenAI API Platform",
xdm.target.resource.id = workspace_id,
xdm.target.resource.name = json_extract_scalar(request_metadata, "$.destination_hostname"),
xdm.network.session_id = conversation_id;