Potential Denial of Azure OpenAI ML Service

Last updated 15 days ago on 2025-03-20

Created a month ago on 2025-02-25

About

Detects patterns indicative of Denial-of-Service (DoS) attacks on machine learning (ML) models, focusing on unusually high volume and frequency of requests or patterns of requests that are known to cause performance degradation or service disruption, such as large input sizes or rapid API calls.

Tags: Domain: LLMData Source: Azure OpenAIData Source: Azure Event HubsUse Case: Denial of ServiceMitre Atlas: T0029Language: esql
Severity: medium
Risk Score: 47
False Positive Examples: Unexpected system errorsLegitimate spikes in usage due to business processes
License: Elastic License v2(opens in a new tab or window)

Definition

Integration Pack: Prebuilt Security Detection Rules
Related Integrations: (opens in a new tab or window)
Query

from logs-azure_openai.logs-*
// truncate the timestamp to a 1-minute window
| eval target_time_window = DATE_TRUNC(1 minutes, @timestamp)
| where azure.open_ai.operation_name == "ChatCompletions_Create"
| keep azure.open_ai.properties.request_length, azure.resource.name, cloud.account.id,target_time_window
| stats count = count(), avg_request_size = avg(azure.open_ai.properties.request_length) by target_time_window, azure.resource.name
| where count >= 10 and avg_request_size >= 5000
| sort count desc

Install detection rules in Elastic Security

Detect Potential Denial of Azure OpenAI ML Service in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).