Techniques
Sample rules
AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session
- source: elastic
- technicques:
Description
Identifies multiple AWS Bedrock executions in a one minute time window without guardrails by the same user in the same account over a session. Multiple consecutive executions implies that a user may be intentionally attempting to bypass security controls, by not routing the requests with the desired guardrail configuration in order to access sensitive information, or possibly exploit a vulnerability in the system.
Detection logic
from logs-aws_bedrock.invocation-*
// create time window buckets of 1 minute
| eval time_window = date_trunc(1 minute, @timestamp)
| where gen_ai.guardrail_id is NULL
| KEEP @timestamp, time_window, gen_ai.guardrail_id , user.id
| stats model_invocation_without_guardrails = count() by user.id
| where model_invocation_without_guardrails > 5
| sort model_invocation_without_guardrails desc