Techniques
Sample rules
Potential Denial of Azure OpenAI ML Service
- source: elastic
- technicques:
Description
Detects patterns indicative of Denial-of-Service (DoS) attacks on machine learning (ML) models, focusing on unusually high volume and frequency of requests or patterns of requests that are known to cause performance degradation or service disruption, such as large input sizes or rapid API calls.
Detection logic
from logs-azure_openai.logs-*
| eval
Esql.time_window_date_trunc = date_trunc(1 minutes, @timestamp)
| where azure.open_ai.operation_name == "ChatCompletions_Create"
| keep
azure.open_ai.properties.request_length,
azure.resource.name,
cloud.account.id,
Esql.time_window_date_trunc
| stats
Esql.event_count = count(*),
Esql.azure_open_ai_properties_request_length_avg = avg(azure.open_ai.properties.request_length)
by
Esql.time_window_date_trunc,
azure.resource.name
| where
Esql.event_count >= 10 and
Esql.azure_open_ai_properties_request_length_avg >= 5000
| sort Esql.event_count desc