This detection rule, authored by Elastic, targets incidents where Azure OpenAI requests return a response length of zero, suggesting potential issues in output handling that could lead to security vulnerabilities, such as data leaks or executable code exposure. The rule operates on the premise that certain inputs might cause the API to fail in returning valid outputs. Detection is performed over a rolling 60-minute window with a 10-minute query interval, relying on logs emitted by Azure OpenAI and Azure Event Hubs. The query looks for specific conditions indicating a successful operation (given by a `result_signature` of "200") where the response length is zero. The rule highlights a threshold where the same resource experiences ten or more such occurrences, flagging it for review. False positives might occur when queries are designed intentionally for empty responses, making it critical to correlate the findings with business context and expected system behavior.