This detection rule aims to monitor for potentially suspicious activities indicating the theft or unauthorized duplication of machine learning (ML) models in Azure OpenAI services. It investigates events such as unauthorized API calls, unusual access patterns, and excessive data transfers during interactions with ML models. The rule is based on a query that looks at logs from Azure OpenAI to identify instances where the operation 'ListKey' is logged under audit categories and counts occurrences of data responses from model interactions. If there are more than 100 such occurrences or if the maximum data transferred exceeds 1,000,000 bytes within a specified time frame, the event is flagged for further examination. The rule has a moderate risk score of 47, indicative of the significance of unauthorized model access or theft in cloud environments.