Techniques
Sample rules
Azure OpenAI Insecure Output Handling
- source: elastic
- technicques:
Description
Detects when Azure OpenAI requests result in zero response length, potentially indicating issues in output handling that might lead to security exploits such as data leaks or code execution. This can occur in cases where the API fails to handle outputs correctly under certain input conditions.
Detection logic
from logs-azure_openai.logs-*
| where
azure.open_ai.properties.response_length == 0 and
azure.open_ai.result_signature == "200" and
azure.open_ai.operation_name == "ChatCompletions_Create"
| keep
azure.open_ai.properties.request_length,
azure.open_ai.result_signature,
cloud.account.id,
azure.resource.name
| stats
Esql.event_count = count(*)
by
azure.resource.name
| where
Esql.event_count >= 10
| sort
Esql.event_count desc