Azure OpenAI Insecure Output Handling

Last updated a month ago on 2025-07-16

Created 6 months ago on 2025-02-25

About

Detects when Azure OpenAI requests result in zero response length, potentially indicating issues in output handling that might lead to security exploits such as data leaks or code execution. This can occur in cases where the API fails to handle outputs correctly under certain input conditions.

Tags: Domain: LLMData Source: Azure OpenAIData Source: Azure Event HubsUse Case: Insecure Output HandlingLanguage: esql
Severity: low
Risk Score: 21
False Positive Examples: Queries that are designed to expect empty responses or benign system errors
License: Elastic License v2(opens in a new tab or window)

Definition

Integration Pack: Prebuilt Security Detection Rules
Related Integrations: (opens in a new tab or window)
Query

from logs-azure_openai.logs-*
| where
    azure.open_ai.properties.response_length == 0 and
    azure.open_ai.result_signature == "200" and
    azure.open_ai.operation_name == "ChatCompletions_Create"
| keep
    azure.open_ai.properties.request_length,
    azure.open_ai.result_signature,
    cloud.account.id,
    azure.resource.name
| stats
    Esql.event_count = count(*)
  by
    azure.resource.name
| where
    Esql.event_count >= 10
| sort
    Esql.event_count desc

Install detection rules in Elastic Security

Detect Azure OpenAI Insecure Output Handling in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).