Techniques
Sample rules
AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request
- source: elastic
- technicques:
Description
Identifies multiple violations of AWS Bedrock guardrails within a single request, resulting in a block action, increasing the likelihood of malicious intent. Multiple violations implies that a user may be intentionally attempting to cirvumvent security controls, access sensitive information, or possibly exploit a vulnerability in the system.
Detection logic
from logs-aws_bedrock.invocation-*
| where gen_ai.policy.action == "BLOCKED"
| eval policy_violations = mv_count(gen_ai.policy.name)
| where policy_violations > 1
| stats total_unique_request_violations = count(*) by policy_violations, user.id, gen_ai.request.model.id, cloud.account.id
| sort total_unique_request_violations desc
AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User
- source: elastic
- technicques:
Description
Identifies multiple successive failed attempts to use denied model resources within AWS Bedrock. This could indicated attempts to bypass limitations of other approved models, or to force an impact on the environment by incurring exhorbitant costs.
Detection logic
from logs-aws_bedrock.invocation-*
| where gen_ai.response.error_code == "AccessDeniedException"
| stats total_denials = count(*) by user.id, gen_ai.request.model.id, cloud.account.id
| where total_denials > 3
| sort total_denials desc
AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session
- source: elastic
- technicques:
Description
Identifies multiple violations of AWS Bedrock guardrails by the same user in the same account over a session. Multiple violations implies that a user may be intentionally attempting to cirvumvent security controls, access sensitive information, or possibly exploit a vulnerability in the system.
Detection logic
from logs-aws_bedrock.invocation-*
| where gen_ai.compliance.violation_detected
| stats violations = count(*) by user.id, gen_ai.model.id, cloud.account.id
| where violations > 1
| sort violations desc