New

The executive guide to generative AI

Read more

Azure OpenAI Insecure Output Handling

edit

Detects when Azure OpenAI requests result in zero response length, potentially indicating issues in output handling that might lead to security exploits such as data leaks or code execution. This can occur in cases where the API fails to handle outputs correctly under certain input conditions.

Rule type: esql

Rule indices: None

Severity: low

Risk score: 21

Runs every: 10m

Searches indices from: now-60m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: LLM
  • Data Source: Azure OpenAI
  • Data Source: Azure Event Hubs
  • Use Case: Insecure Output Handling

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Setup

edit

Setup

For more information on streaming events, see the Azure OpenAI documentation:

https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/stream-monitoring-data-event-hubs

Rule query

edit
from logs-azure_openai.logs-*
| where azure.open_ai.properties.response_length == 0 and azure.open_ai.result_signature == "200" and azure.open_ai.operation_name == "ChatCompletions_Create"
| keep azure.open_ai.properties.request_length, azure.open_ai.result_signature, cloud.account.id, azure.resource.name
| stats count = count() by azure.resource.name
| where count >= 10
| sort count desc

On this page

Was this helpful?
Feedback