The rule provides anomaly detection capabilities for identifying potential data exfiltration and leakage attempts focusing on Ollama model metadata and configuration endpoints. It specifically monitors repeated queries to critical API endpoints such as /api/show, /api/tags, and /api/v1/models. The detection mechanism analyzes logs to identify systematic attempts at extracting sensitive model-related information, which could include architecture details, custom configurations, and other proprietary data that could be exploited for competitive intelligence or malicious attacks against AI infrastructure. The rule aggregates log data over a 15-minute window and utilizes metrics such as response time to classify the severity of the detected anomalies. A threshold for automated queries or unusually long response times may indicate a high likelihood of data exfiltration, thus assisting security teams in proactively mitigating such risks.