Azure OpenAI Insecure Output Handling
editAzure OpenAI Insecure Output Handling
editDetects when Azure OpenAI requests result in zero response length, potentially indicating issues in output handling that might lead to security exploits such as data leaks or code execution. This can occur in cases where the API fails to handle outputs correctly under certain input conditions.
Rule type: esql
Rule indices: None
Severity: low
Risk score: 21
Runs every: 10m
Searches indices from: now-60m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: LLM
- Data Source: Azure OpenAI
- Data Source: Azure Event Hubs
- Use Case: Insecure Output Handling
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Setup
editSetup
For more information on streaming events, see the Azure OpenAI documentation:
https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/stream-monitoring-data-event-hubs
Rule query
editfrom logs-azure_openai.logs-* | where azure.open_ai.properties.response_length == 0 and azure.open_ai.result_signature == "200" and azure.open_ai.operation_name == "ChatCompletions_Create" | keep azure.open_ai.properties.request_length, azure.open_ai.result_signature, cloud.account.id, azure.resource.name | stats count = count() by azure.resource.name | where count >= 10 | sort count desc