Techniques
Sample rules
AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session
- source: elastic
- technicques:
Description
Identifies multiple AWS Bedrock executions in a one minute time window without guardrails by the same user in the same account over a session. Multiple consecutive executions implies that a user may be intentionally attempting to bypass security controls, by not routing the requests with the desired guardrail configuration in order to access sensitive information, or possibly exploit a vulnerability in the system.
Detection logic
from logs-aws_bedrock.invocation-*
// Create 1-minute time buckets
| eval Esql.time_window_date_trunc = date_trunc(1 minute, @timestamp)
// Filter for invocations without guardrails
| where gen_ai.guardrail_id is null and user.id is not null
// keep only relevant fields
| keep
@timestamp,
Esql.time_window_date_trunc,
gen_ai.guardrail_id,
user.id
// count number of unsafe invocations per user
| stats
Esql.ml_invocations_no_guardrails_count = count()
by user.id
// Filter for suspicious volume
| where Esql.ml_invocations_no_guardrails_count > 5
// sort descending
| sort Esql.ml_invocations_no_guardrails_count desc