AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session | Elastic Security Solution [8.13]

› › ›

« AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request AWS CloudTrail Log Created »

AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Sessionedit

Identifies multiple violations of AWS Bedrock guardrails by the same user in the same account over a session. Multiple violations implies that a user may be intentionally attempting to cirvumvent security controls, access sensitive information, or possibly exploit a vulnerability in the system.

Rule type: esql

Rule indices: None

Severity: medium

Risk score: 47

Runs every: 10m

Searches indices from: now-60m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: LLM
Data Source: AWS Bedrock
Data Source: AWS S3
Resources: Investigation Guide
Use Case: Policy Violation
Mitre Atlas: T0051
Mitre Atlas: T0054

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Setupedit

Setup

This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:

https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html

Rule queryedit

from logs-aws_bedrock.invocation-*
| where gen_ai.compliance.violation_detected
| stats violations = count(*) by user.id, gen_ai.model.id, cloud.account.id
| where violations > 1
| sort violations desc

« AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request AWS CloudTrail Log Created »