legitimate misunderstanding by users on accessing the bedrock models.

Techniques

Sample rules

AWS Bedrock Detected Multiple Validation Exception Errors by a Single User

source: elastic
technicques:

Description

Identifies multiple validation exeception errors within AWS Bedrock. Validation errors occur when you run the InvokeModel or InvokeModelWithResponseStream APIs on a foundation model that uses an incorrect inference parameter or corresponding value. These errors also occur when you use an inference parameter for one model with a model that doesn’t have the same API parameter. This could indicate attempts to bypass limitations of other approved models, or to force an impact on the environment by incurring exhorbitant costs.

Detection logic

from logs-aws_bedrock.invocation-*

// Truncate timestamp to 1-minute window
| eval Esql.time_window_date_trunc = date_trunc(1 minutes, @timestamp)

// Filter for validation exceptions in responses
| where gen_ai.response.error_code == "ValidationException"

// keep relevant ECS and derived fields
| keep
  user.id,
  gen_ai.request.model.id,
  cloud.account.id,
  gen_ai.response.error_code,
  Esql.time_window_date_trunc

// count number of denials by user/account/time window
| stats
    Esql.ml_response_validation_error_count = count(*)
  by
    Esql.time_window_date_trunc,
    user.id,
    cloud.account.id

// Filter for excessive errors
| where Esql.ml_response_validation_error_count > 3