AWS Bedrock Detected Multiple Validation Exception Errors by a Single User
editAWS Bedrock Detected Multiple Validation Exception Errors by a Single User
editIdentifies multiple validation exeception errors within AWS Bedrock. Validation errors occur when you run the InvokeModel or InvokeModelWithResponseStream APIs on a foundation model that uses an incorrect inference parameter or corresponding value. These errors also occur when you use an inference parameter for one model with a model that doesn’t have the same API parameter. This could indicate attempts to bypass limitations of other approved models, or to force an impact on the environment by incurring exhorbitant costs.
Rule type: esql
Rule indices: None
Severity: high
Risk score: 73
Runs every: 10m
Searches indices from: now-60m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: LLM
- Data Source: AWS
- Data Source: AWS Bedrock
- Data Source: AWS S3
- Use Case: Policy Violation
- Mitre Atlas: T0015
- Mitre Atlas: T0034
- Mitre Atlas: T0046
Version: 2
Rule authors:
- Elastic
Rule license: Elastic License v2
Setup
editSetup
This rule requires that AWS Bedrock Integration be configured. For more information, see the AWS Bedrock integration documentation:
https://www.elastic.co/docs/current/integrations/aws_bedrock
Rule query
editfrom logs-aws_bedrock.invocation-* // truncate the timestamp to a 1-minute window | eval target_time_window = DATE_TRUNC(1 minutes, @timestamp) | where gen_ai.response.error_code == "ValidationException" | keep user.id, gen_ai.request.model.id, cloud.account.id, gen_ai.response.error_code, target_time_window // count the number of users causing validation errors within a 1 minute window | stats total_denials = count(*) by target_time_window, user.id, cloud.account.id | where total_denials > 3