IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« AWS STS GetCallerIdentity API Called for the First Time Potential Persistence via File Modification »
Elastic Docs Elastic Security Solution [8.13] Downloadable rule update v8.13.18

AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session

edit

AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session

edit

Identifies multiple violations of AWS Bedrock guardrails by the same user in the same account over a session. Multiple violations implies that a user may be intentionally attempting to cirvumvent security controls, access sensitive information, or possibly exploit a vulnerability in the system.

Rule type: esql

Rule indices: None

Severity: medium

Risk score: 47

Runs every: 10m

Searches indices from: now-60m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: LLM
  • Data Source: AWS Bedrock
  • Data Source: AWS S3
  • Resources: Investigation Guide
  • Use Case: Policy Violation
  • Mitre Atlas: T0051
  • Mitre Atlas: T0054

Version: 2

Rule authors:

  • Elastic

Rule license: Elastic License v2

Setup

edit

Setup

This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:

https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html

Rule query

edit
from logs-aws_bedrock.invocation-*
| where gen_ai.compliance.violation_detected
| stats violations = count(*) by user.id, gen_ai.request.model.id, cloud.account.id
| where violations > 1
| sort violations desc
« AWS STS GetCallerIdentity API Called for the First Time Potential Persistence via File Modification »