LoFP LoFP / legitimate spikes in usage due to business processes

Techniques

Sample rules

Potential Denial of Azure OpenAI ML Service

Description

Detects patterns indicative of Denial-of-Service (DoS) attacks on machine learning (ML) models, focusing on unusually high volume and frequency of requests or patterns of requests that are known to cause performance degradation or service disruption, such as large input sizes or rapid API calls.

Detection logic

from logs-azure_openai.logs-*
| eval
    Esql.time_window_date_trunc = date_trunc(1 minutes, @timestamp)
| where azure.open_ai.operation_name == "ChatCompletions_Create"
| keep
    azure.open_ai.properties.request_length,
    azure.resource.name,
    cloud.account.id,
    Esql.time_window_date_trunc
| stats
    Esql.event_count = count(*),
    Esql.azure_open_ai_properties_request_length_avg = avg(azure.open_ai.properties.request_length)
  by
    Esql.time_window_date_trunc,
    azure.resource.name
| where
    Esql.event_count >= 10 and
    Esql.azure_open_ai_properties_request_length_avg >= 5000
| sort Esql.event_count desc