Merge branch '4517-bug-dac-detection_rules-help-texts-are-cut-off' of github.com:elastic/detection-rules into 4517-bug-dac-detection_rules-help-texts-are-cut-off

Author: eric-forte-elastic

rules/integrations/azure_openai/azure_openai_denial_of_ml_service_detection.toml

@@ -0,0 +1,53 @@
+[metadata]
+creation_date = "2025/02/25"
+maturity = "production"
+updated_date = "2025/02/25"
+min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully; integration in tech preview"
+min_stack_version = "8.13.0"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects patterns indicative of Denial-of-Service (DoS) attacks on machine learning (ML) models, focusing on unusually high volume and frequency
+of requests or patterns of requests that are known to cause performance degradation or service disruption, such as
+large input sizes or rapid API calls.
+"""
+false_positives = ["Unexpected system errors", "Legitimate spikes in usage due to business processes"]
+from = "now-60m"
+interval = "10m"
+language = "esql"
+license = "Elastic License v2"
+name = "Potential Denial of Azure OpenAI ML Service"
+references = [
+    "https://genai.owasp.org/llmrisk/llm04-model-denial-of-service",
+    "https://atlas.mitre.org/techniques/AML.T0029"
+]
+risk_score = 47
+rule_id = "b0450411-46e5-46d2-9b35-8b5dd9ba763e"
+setup = """## Setup
+
+For more information on streaming events, see the Azure OpenAI documentation:
+
+https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/stream-monitoring-data-event-hubs
+"""
+severity = "medium"
+tags = [
+    "Domain: LLM",
+    "Data Source: Azure OpenAI",
+    "Data Source: Azure Event Hubs",
+    "Use Case: Denial of Service",
+    "Mitre Atlas: T0029"
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+from logs-azure_openai.logs-*
+// truncate the timestamp to a 1-minute window
+| eval target_time_window = DATE_TRUNC(1 minutes, @timestamp)
+| where azure.open_ai.operation_name == "ChatCompletions_Create"
+| keep azure.open_ai.properties.request_length, azure.resource.name, cloud.account.id,target_time_window
+| stats count = count(), avg_request_size = avg(azure.open_ai.properties.request_length) by target_time_window, azure.resource.name
+| where count >= 10 and avg_request_size >= 5000
+| sort count desc
+'''

rules/integrations/azure_openai/azure_openai_insecure_output_handling_detection.toml

@@ -0,0 +1,49 @@
+[metadata]
+creation_date = "2025/02/25"
+maturity = "production"
+updated_date = "2025/02/25"
+min_stack_comments = "ES|QL rule type is still in experimental as of 8.13, however this rule was tested successfully; integration in experimental"
+min_stack_version = "8.13.0"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects when Azure OpenAI requests result in zero response length, potentially indicating issues in output handling
+that might lead to security exploits such as data leaks or code execution. This can occur in cases where the API fails
+to handle outputs correctly under certain input conditions.
+"""
+false_positives = ["Queries that are designed to expect empty responses or benign system errors"]
+from = "now-60m"
+interval = "10m"
+language = "esql"
+license = "Elastic License v2"
+name = "Azure OpenAI Insecure Output Handling"
+references = [
+    "https://genai.owasp.org/llmrisk/llm02-insecure-output-handling"
+]
+risk_score = 21
+rule_id = "fb16f9ef-cb03-4234-adc2-44641f3b71ee"
+setup = """## Setup
+
+For more information on streaming events, see the Azure OpenAI documentation:
+
+https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/stream-monitoring-data-event-hubs
+"""
+severity = "low"
+tags = [
+    "Domain: LLM",
+    "Data Source: Azure OpenAI",
+    "Data Source: Azure Event Hubs",
+    "Use Case: Insecure Output Handling"
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+from logs-azure_openai.logs-*
+| where azure.open_ai.properties.response_length == 0 and azure.open_ai.result_signature == "200" and azure.open_ai.operation_name == "ChatCompletions_Create"
+| keep azure.open_ai.properties.request_length, azure.open_ai.result_signature, cloud.account.id, azure.resource.name
+| stats count = count() by azure.resource.name
+| where count >= 10
+| sort count desc
+'''

rules/integrations/azure_openai/azure_openai_model_theft_detection.toml

@@ -0,0 +1,51 @@
+[metadata]
+creation_date = "2025/02/25"
+maturity = "production"
+updated_date = "2025/02/25"
+min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully; integration in tech preview"
+min_stack_version = "8.13.0"
+
+[rule]
+author = ["Elastic"]
+description = """
+Monitors for suspicious activities that may indicate theft or unauthorized duplication of machine learning (ML) models, such as
+unauthorized API calls, atypical access patterns, or large data transfers that are unusual during model interactions.
+"""
+false_positives = ["Authorized model training", "Legitimate high volume data exchanges during scheduled updates"]
+from = "now-60m"
+interval = "10m"
+language = "esql"
+license = "Elastic License v2"
+name = "Potential Azure OpenAI Model Theft"
+references = [
+    "https://genai.owasp.org/llmrisk/llm10-model-theft",
+    "https://atlas.mitre.org/techniques/AML.T0044"
+]
+risk_score = 47
+rule_id = "4021e78d-5293-48d3-adee-a70fa4c18fab"
+setup = """## Setup
+
+For more information on
+streaming events, see the Azure OpenAI documentation:
+
+https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/stream-monitoring-data-event-hubs
+"""
+severity = "medium"
+tags = [
+    "Domain: LLM",
+    "Data Source: Azure OpenAI",
+    "Data Source: Azure Event Hubs",
+    "Use Case: Model Theft",
+    "Mitre Atlas: T0044"
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+from logs-azure_openai.logs-*
+| where azure.open_ai.operation_name == "ListKey" and azure.open_ai.category == "Audit"
+| KEEP @timestamp, azure.open_ai.operation_name , azure.open_ai.category, azure.resource.group, azure.resource.name, azure.open_ai.properties.response_length
+| stats count = count(), max_data_transferred = max(azure.open_ai.properties.response_length) by azure.resource.group , azure.resource.name
+| where count >= 100 or max_data_transferred >= 1000000
+| sort count desc
+'''