Potential Denial of Azure OpenAI ML Service

Last updated a month ago on 2025-07-16

Created 6 months ago on 2025-02-25

About

Detects patterns indicative of Denial-of-Service (DoS) attacks on machine learning (ML) models, focusing on unusually high volume and frequency of requests or patterns of requests that are known to cause performance degradation or service disruption, such as large input sizes or rapid API calls.

Tags: Domain: LLMData Source: Azure OpenAIData Source: Azure Event HubsUse Case: Denial of ServiceMitre Atlas: T0029Language: esql
Severity: medium
Risk Score: 47
False Positive Examples: Unexpected system errorsLegitimate spikes in usage due to business processes
License: Elastic License v2(opens in a new tab or window)

Definition

Integration Pack: Prebuilt Security Detection Rules
Related Integrations: (opens in a new tab or window)
Query

from logs-azure_openai.logs-*
| eval
    Esql.time_window_date_trunc = date_trunc(1 minutes, @timestamp)
| where azure.open_ai.operation_name == "ChatCompletions_Create"
| keep
    azure.open_ai.properties.request_length,
    azure.resource.name,
    cloud.account.id,
    Esql.time_window_date_trunc
| stats
    Esql.event_count = count(*),
    Esql.azure_open_ai_properties_request_length_avg = avg(azure.open_ai.properties.request_length)
  by
    Esql.time_window_date_trunc,
    azure.resource.name
| where
    Esql.event_count >= 10 and
    Esql.azure_open_ai_properties_request_length_avg >= 5000
| sort Esql.event_count desc

Install detection rules in Elastic Security

Detect Potential Denial of Azure OpenAI ML Service in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).