Techniques
Sample rules
AWS Bedrock Detected Multiple Validation Exception Errors by a Single User
- source: elastic
- technicques:
Description
Identifies multiple validation exeception errors within AWS Bedrock. Validation errors occur when you run the InvokeModel or InvokeModelWithResponseStream APIs on a foundation model that uses an incorrect inference parameter or corresponding value. These errors also occur when you use an inference parameter for one model with a model that doesn’t have the same API parameter. This could indicate attempts to bypass limitations of other approved models, or to force an impact on the environment by incurring exhorbitant costs.
Detection logic
from logs-aws_bedrock.invocation-*
// Truncate timestamp to 1-minute window
| eval Esql.time_window_date_trunc = date_trunc(1 minutes, @timestamp)
// Filter for validation exceptions in responses
| where gen_ai.response.error_code == "ValidationException"
// keep relevant ECS and derived fields
| keep
user.id,
gen_ai.request.model.id,
cloud.account.id,
gen_ai.response.error_code,
Esql.time_window_date_trunc
// count number of denials by user/account/time window
| stats
Esql.ml_response_validation_error_count = count(*)
by
Esql.time_window_date_trunc,
user.id,
cloud.account.id
// Filter for excessive errors
| where Esql.ml_response_validation_error_count > 3