-
Notifications
You must be signed in to change notification settings - Fork 456
/
aws_bedrock_guardrails_multiple_violations_by_single_user.toml
54 lines (50 loc) · 1.91 KB
/
aws_bedrock_guardrails_multiple_violations_by_single_user.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
[metadata]
creation_date = "2024/05/02"
maturity = "production"
updated_date = "2024/05/02"
min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully; integration in tech preview"
min_stack_version = "8.13.0"
[rule]
author = ["Elastic"]
description = """
Identifies multiple violations of AWS Bedrock guardrails by the same user in the same account over a session. Multiple
violations implies that a user may be intentionally attempting to cirvumvent security controls, access sensitive
information, or possibly exploit a vulnerability in the system.
"""
false_positives = ["Legitimate misunderstanding by users or overly strict policies"]
from = "now-60m"
interval = "10m"
language = "esql"
license = "Elastic License v2"
name = "AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session"
references = [
"https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html",
"https://atlas.mitre.org/techniques/AML.T0051",
"https://atlas.mitre.org/techniques/AML.T0054",
"https://www.elastic.co/security-labs/elastic-advances-llm-security"
]
risk_score = 47
rule_id = "0cd2f3e6-41da-40e6-b28b-466f688f00a6"
setup = """## Setup
This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:
https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html
"""
severity = "medium"
tags = [
"Domain: LLM",
"Data Source: AWS Bedrock",
"Data Source: AWS S3",
"Resources: Investigation Guide",
"Use Case: Policy Violation",
"Mitre Atlas: T0051",
"Mitre Atlas: T0054",
]
timestamp_override = "event.ingested"
type = "esql"
query = '''
from logs-aws_bedrock.invocation-*
| where gen_ai.compliance.violation_detected
| stats violations = count(*) by user.id, gen_ai.model.id, cloud.account.id
| where violations > 1
| sort violations desc
'''