OpenAI Organization Audit Events
OpenAI provides comprehensive organization audit logging for monitoring API key management, user authentication, project lifecycle, and administrative actions. These logs capture information such as API key creation and deletion, login attempts, project changes, user and service account management, and configuration updates. They help administrators track platform usage, ensure compliance, and audit changes for troubleshooting and security analysis.
Ingest Methods
Setup the ingestion of this source using one of the following guides.
API Polling
OpenAI supports API polling to collect audit log events from your organization via the Admin API.
Setup
- Go to Sources in RunReveal
- Click the OpenAI source tile
- Give it a name and click Connect Source
- Fill in the required field with your OpenAI Admin API key
OpenAI Admin API Key Configuration
To generate an Admin API key for RunReveal:
Prerequisites:
- You must be an Organization Owner to create Admin API keys
- Audit logging must be enabled under Organization Settings → Data Controls → Audit Logging (once enabled, it cannot be disabled)
Creating the Admin API Key:
- Sign in to platform.openai.com as an Organization Owner
- Navigate to Organization Settings → Admin Keys
- Click “Create admin key”
- Provide a name (e.g., “RunReveal Integration”)
- Important: Copy the API key immediately — it will only be displayed once
Admin API Key Required: This integration requires an Admin API key, not a regular project API key. Admin keys are created under Organization Settings → Admin Keys and provide access to organization-level audit logs. Regular API keys created under project settings will not work.
OpenAI Event Types
The OpenAI integration collects comprehensive audit events from your organization. These events provide visibility into platform operations, user management, and security-relevant actions.
Event Categories Collected
API Key Management
- API Key Created — New API key generation with scope information
- API Key Updated — Changes to API key scopes and permissions
- API Key Deleted — API key revocation and cleanup
User Authentication
- Login Succeeded — Successful user authentication events
- Login Failed — Failed login attempts with error details
- Logout Succeeded/Failed — Session termination events
User & Service Account Management
- User Added/Updated/Deleted — User lifecycle events with role information
- Service Account Created/Updated/Deleted — Service account management
- Invite Sent/Accepted/Deleted — Organization invitation tracking
Project Lifecycle
- Project Created/Updated/Archived/Deleted — Project management events
- Rate Limit Updated/Deleted — Project rate limit configuration changes
Organization Administration
- Organization Updated — Changes to organization settings including API call logging, description, and visibility controls
- SCIM Enabled/Disabled — SCIM provisioning configuration
- IP Allowlist Created/Updated/Deleted — Network access control changes
- IP Allowlist Config Activated/Deactivated — Allowlist enforcement changes
Security & Access Control
- Role Created/Updated/Deleted — Custom role management with permission tracking
- Role Assignment Created/Deleted — Role binding to users and groups
- Group Created/Updated/Deleted — Group management for access control
- Certificate Created/Updated/Deleted — TLS certificate management
- Certificates Activated/Deactivated — Certificate enforcement changes
- External Key Registered/Removed — External key configuration changes
- Tunnel Created/Updated/Deleted — Network tunnel management
Event Data Structure
Each OpenAI audit event includes:
- Actor Information — Actor type (session or API key), user ID, email, IP address, and service account details
- Event Details — Event type, effective timestamp, and event-specific payload
- Project Context — Project ID and name when the action is scoped to a project
Data Collection
- Collection Method: API polling every 5 minutes
- Event Format: JSON with normalized fields for consistent querying
- Real-time Updates: New events appear in RunReveal within 5-10 minutes
Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: openai_audit_logs (46 columns)
openai_audit_logs (46 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | String |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
| Column | Type |
|---|---|
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
enrichments | Array(Tuple(data Map(String, String), name String, provider String, type String, value String)) |
readOnly | Bool |
rawLog | String |
eventType | String |
actorType | String |
actorIP | String |
actorUserID | String |
actorUserEmail | String |
apiKeyID | String |
apiKeyType | String |
serviceAccountID | String |
projectID | String |
projectName | String |
Helpful Links
- OpenAI Audit Logs API Reference - API reference for querying organization audit log events
- Admin and Audit Logs API Overview - Guide to setting up and using the Admin API for audit logging