OpenAI - Automated red-team / fuzzing pacing fingerprint
Open AI Red Team Pacing Anomaly
Query
let window = 1h;
OpenAIChatCompletions
| where TimeGenerated > ago(window)
| extend ActorUser = tostring(AdditionalFields.input_user)
| where isnotempty(ActorUser)
| order by ActorUser asc, TimeGenerated asc
| extend PrevTime = prev(TimeGenerated), PrevUser = prev(ActorUser)
| extend Gap = iff(ActorUser == PrevUser,
todouble(datetime_diff('millisecond', TimeGenerated, PrevTime)),
todouble(0))
| where ActorUser == PrevUser
| summarize
Requests = count(),
MedianGapMs = percentile(Gap, 50),
StdGapMs = stdev(Gap),
MinGapMs = min(Gap)
by ActorUser
| where Requests >= 30 and MedianGapMs < 2000 and StdGapMs < 500
| project ActorUser, Requests, MedianGapMs, StdGapMs, MinGapMs
| order by Requests descExplanation
This query is designed to detect unusual patterns of activity that suggest automated adversarial frameworks are interacting with the OpenAI API. It looks for a specific signature: a high number of requests from a single user with very small and consistent time gaps between requests, which is not typical of human behavior.
Here's a breakdown of what the query does:
- Time Frame: It examines data from the past hour.
- Data Source: It uses logs from OpenAI API interactions.
- User Identification: It identifies users making requests to the API.
- Request Pattern Analysis:
- It calculates the time gap between consecutive requests from the same user.
- It counts the total number of requests per user.
- It calculates the median, standard deviation, and minimum of these time gaps.
- Anomaly Detection: It flags users who:
- Made 30 or more requests in the past hour.
- Have a median gap between requests of less than 2000 milliseconds.
- Have a standard deviation of gaps less than 500 milliseconds.
- Output: It lists users who meet these criteria, along with their request count and gap statistics, ordered by the number of requests.
- Alerting: If any users meet these criteria, an alert is triggered, and incidents are created for further investigation.
The query is part of a scheduled task that runs every hour and is designed to help identify potential automated attacks or misuse of the OpenAI API by detecting patterns that are unlikely to be generated by human users.
Details

David Alonso
Released: June 8, 2026
Tables
OpenAIChatCompletions
Keywords
OpenAIAIAccountUserActorUserRequestsTimeGeneratedGap
Operators
letwhereextendtostringisnotemptyorder byprevifftodoubledatetime_diffsummarizecountpercentilestdevminproject
Severity
MediumTactics
DiscoveryImpact
Frequency: PT1H
Period: PT1H