[Rule Tuning] Unusual High Denied Topic Blocks Detected #5203
Description
Link to Rule
No response
Rule Tuning Type
None
Description
The value for the field gen_ai.policy.action is an array so another mv_expand on that field is necessary for the rule to work.
Here is a raw event sample from the AWS Bedrock integration
{ "@timestamp": "2025-10-10T19:12:24.000Z", "agent.ephemeral_id": "agent.ephemeral_id", "agent.id": "agent.ephemeral_id", "agent.name": "agent.ephemeral_id", "agent.name.text": "agent.ephemeral_id", "agent.type": "filebeat", "agent.version": "9.1.5", "aws.s3.bucket.arn": "arn:aws:s3:::bucket-bedrock", "aws.s3.bucket.name": "bucketname", "aws.s3.object.key": "AWSLogs/org_id/BedrockModelInvocationLogs/us-east-1/2025/10/10/19/20251010T191306972Z_890ec528df3c8d3c.json.gz", "aws_bedrock.invocation.input.input_content_type": "application/json", "aws_bedrock.invocation.input.input_token_count": 0, "aws_bedrock.invocation.input.messages_content_kinds": "text", "aws_bedrock.invocation.model_id": "us.anthropic.claude-3-7-sonnet-20250219-v1:0", "aws_bedrock.invocation.output.completion_text": "Sorry, the model cannot answer this question.", "aws_bedrock.invocation.output.output_content_type": "application/json", "aws_bedrock.invocation.output.output_token_count": 0, "aws_bedrock.invocation.request_id": "requestid", "aws_bedrock.invocation.schema_type": "ModelInvocationLog", "aws_bedrock.invocation.schema_version": "1.0", "cloud.account.id": "cloud", "cloud.region": "us-east-1", "cloud.service.name": "bedrock", "cloud.service.name.text": "bedrock", "data_stream.dataset": "aws_bedrock.invocation", "data_stream.namespace": "default", "data_stream.type": "logs", "ecs.version": "8.11.0", "elastic_agent.id": "agent.ephemeral_id", "elastic_agent.snapshot": false, "elastic_agent.version": "9.1.5", "event.action": "Converse", "event.agent_id_status": "verified", "event.dataset": "aws_bedrock.invocation", "event.ingested": "2025-10-10T19:13:18.000Z", "event.module": "aws", "event.outcome": "failure", "gen_ai.completion": "{\"metrics\":{\"latencyMs\":329},\"output\":{\"message\":{\"content\":[{\"text\":\"Sorry, the model cannot answer this question.\"}],\"role\":\"assistant\"}},\"stopReason\":\"guardrail_intervened\",\"trace\":{\"guardrail\":{\"inputAssessment\":{\"n2s0km4oxeob\":{\"invocationMetrics\":{\"guardrailCoverage\":{\"textCharacters\":{\"guarded\":19,\"total\":20}},\"guardrailProcessingLatency\":261,\"usage\":{\"automatedReasoningPolicies\":0,\"automatedReasoningPolicyUnits\":0,\"contentPolicyImageUnits\":0,\"contentPolicyUnits\":1,\"contextualGroundingPolicyUnits\":0,\"sensitiveInformationPolicyFreeUnits\":0,\"sensitiveInformationPolicyUnits\":1,\"topicPolicyUnits\":1,\"wordPolicyUnits\":1}},\"sensitiveInformationPolicy\":{\"piiEntities\":[{\"action\":\"NONE\",\"detected\":true,\"match\":\"Jamelão\",\"type\":\"NAME\"}]},\"wordPolicy\":{\"customWords\":[{\"action\":\"BLOCKED\",\"detected\":true,\"match\":\"Jamelão\"}]}}}}},\"usage\":{\"inputTokens\":0,\"outputTokens\":0,\"totalTokens\":0}}", "gen_ai.compliance.violation_code": "NAME", "gen_ai.compliance.violation_detected": true, "gen_ai.guardrail_id": "agent.ephemeral_id", "gen_ai.performance.request_size": 73, "gen_ai.performance.response_size": 893, "gen_ai.policy.action": "BLOCKED", "gen_ai.policy.match_detail.action": [ "BLOCKED", "NONE" ], "gen_ai.policy.match_detail.detected": "true", "gen_ai.policy.match_detail.match": "Jamelão", "gen_ai.policy.match_detail.type": "NAME", "gen_ai.policy.name": "sensitive_information_policy", "gen_ai.prompt": "{\"messages\":[{\"content\":[{\"text\":\"What about Jamelão?\"}],\"role\":\"user\"}]}", "gen_ai.request.id": "77065fd6-0312-4c37-b78c-a4e6c12da598", "gen_ai.request.model.id": "us.anthropic.claude-3-7-sonnet-20250219-v1:0", "gen_ai.request.model.role": "assistant", "gen_ai.request.model.type": "us", "gen_ai.response.finish_reasons": "guardrail_intervened", "gen_ai.response.timestamp": "2025-10-10T19:12:24.000Z", "gen_ai.system": "aws", "gen_ai.usage.completion_tokens": 0, "gen_ai.usage.prompt_tokens": 0, "gen_ai.user.id": "arn:aws:iam::961982651394:user/elastic-bedrock-integration", "input.type": "aws-s3", "log.file.path": "https://eddxavier-bedrock.s3.us-east-1.amazonaws.com/AWSLogs/961982651394/BedrockModelInvocationLogs/us-east-1/2025/10/10/19/20251010T191306972Z_890ec528df3c8d3c.json.gz", "log.file.path.text": "https://eddxavier-bedrock.s3.us-east-1.amazonaws.com/AWSLogs/961982651394/BedrockModelInvocationLogs/us-east-1/2025/10/10/19/20251010T191306972Z_890ec528df3c8d3c.json.gz", "log.offset": 7475, "tags": "forwarded", "user.id": "arn:aws:iam::961982651394:user/elastic-bedrock-integration" }
Example Data
from logs-aws_bedrock.invocation-*
// Expand multi-value policy name field
| mv_expand gen_ai.policy.name
| MV_EXPAND gen_ai.policy.action
// Filter for blocked topic policy violations
| where
gen_ai.policy.action == "BLOCKED"
and gen_ai.compliance.violation_detected == "true"
and gen_ai.policy.name == "topic_policy"
// keep only user info
| keep user.id
// count how many times each user triggered a blocked topic policy
| stats
Esql.ml_policy_blocked_topic_count = count()
by user.id
// Filter for excessive violations
| where Esql.ml_policy_blocked_topic_count > 5
// sort highest to lowest
| sort Esql.ml_policy_blocked_topic_count desc