[OpenAI] Updatethe OpenAI chat completions data connector to ingest to ASimAgentEventLogs table

[marjoriehahn]

Change(s):

• Deleted OpenAIChatCompletions_Table.json — custom OpenAIChatCompletions_CL table definition is no longer needed
• Updated OpenAI_DCR.json: changed output stream from Custom-OpenAIChatCompletions_CL to Microsoft-ASimAgentEventLogs; rewrote transform KQL to map OpenAI API response fields to the ASIM AgentEvent schema (EventUid, EventRequestId, ModelName, InputTokensUsed, OutputTokensUsed, EventVendor, EventProduct, EventSchema, EventType, etc.)
• Updated OpenAI_PollingConfig.json: changed dataType to ASimAgentEventLogs; added addOnAttributes for ASIM fields (eventVendor, eventProduct, eventSchema, eventSchemaVersion, eventCount, eventType, modelProviderName)
• Updated OpenAI_ConnectorDefinition.json: updated connector description, graph queries, lastDataReceivedQuery, connectivity criteria query, and inline UI documentation to reference ASimAgentEventLogs
• Updated parser_OpenAIChatCompletionsAliasFunction.json: changed OpenAIChatCompletions alias function query from union isfuzzy=true OpenAIChatCompletions_CL, SentinelOpenAIChatCompletions to filter ASimAgentEventLogs by OpenAI EventVendor, EventProduct, and EventType
• Added SENTINEL_AGENT_EVENT → Microsoft-ASimAgentEventLogs mapping to Tools/Create-Azure-Sentinel-Solution/common/standardLogStreams.ps1
• Bumped solution version from 3.0.0 to 3.1.0; updated ReleaseNotes.md; regenerated mainTemplate.json and 3.1.0.zip

Reason for Change(s):

• Normalizes OpenAI chat completions data into the ASIM (Advanced Security Information Model) ASimAgentEventLogs standard table, enabling cross-product query correlation and standardized security analysis within Microsoft Sentinel
• Removes the dependency on a custom OpenAIChatCompletions_CL table in favor of the built-in ASIM AgentEvent schema

Version Updated:

• Solution version updated from 3.0.0 to 3.1.0
• N/A — no Detections/Analytic Rule templates were modified

Testing Completed:

• Yes

Checked that the validations are passing and have addressed any issues that are present:

• Yes

---

[marjoriehahn]

@microsoft-github-policy-service agree company="Microsoft"

[jlheard]

Some questions about references to the deleted OpenAIChatCompletions in the connector definition file.

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates the OpenAI chat completions ingestion path to land in the ASIM ASimAgentEventLogs standard table (instead of a custom _CL table), and bumps the OpenAI solution version accordingly.

Changes:

• Updated the OpenAI CCF DCR transform and connector assets to emit/visualize chat completions via ASimAgentEventLogs.
• Updated the OpenAI chat completions parser alias to query ASimAgentEventLogs with OpenAI-specific filters.
• Bumped solution version to 3.1.0, updated release notes, and regenerated the packaged template.

Reviewed changes

Copilot reviewed 9 out of 10 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
Tools/Create-Azure-Sentinel-Solution/common/standardLogStreams.ps1	Adds standard stream mapping for SENTINEL_AGENT_EVENT → Microsoft-ASimAgentEventLogs.
Solutions/OpenAI/ReleaseNotes.md	Adds a 3.1.0 release notes entry for the ASIM table migration.
Solutions/OpenAI/Parsers/parser_OpenAIChatCompletionsAliasFunction.json	Updates the alias function to query ASimAgentEventLogs by OpenAI identifiers.
Solutions/OpenAI/Package/mainTemplate.json	Regenerated package reflecting version bump and new ingestion/queries for ASIM table.
Solutions/OpenAI/Data/Solution_OpenAI.json	Bumps solution version to 3.1.0.
Solutions/OpenAI/Data Connectors/OpenAI_CCP/OpenAI_PollingConfig.json	Updates polling config to ASimAgentEventLogs and adds ASIM add-on attributes.
Solutions/OpenAI/Data Connectors/OpenAI_CCP/OpenAI_DCR.json	Updates DCR output stream and transform KQL to map into ASIM AgentEvent schema fields.
Solutions/OpenAI/Data Connectors/OpenAI_CCP/OpenAI_ConnectorDefinition.json	Updates UI documentation/queries to reference ASimAgentEventLogs.
Solutions/OpenAI/Data Connectors/OpenAI_CCP/OpenAIChatCompletions_Table.json	Removes custom table definition now that chat completions are normalized to ASIM.