From aa68aa7e3d2ca6c74a73167d75682a70fe0eaa79 Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Mon, 10 Nov 2025 14:02:11 -0600 Subject: [PATCH] [Tuning] Add mv_expand for gen_ai.policy.action field Resolves #5202 Resolves #5203 Resolves #5204 The gen_ai.policy.action field is an array, so an additional mv_expand is necessary for the rules to work correctly with AWS Bedrock integration events that contain multiple policy actions. Updated rules: - Unusual High Word Policy Blocks Detected - Unusual High Denied Topic Blocks Detected - Unusual High Denied Sensitive Information Policy Blocks Detected - Unusual High Confidence Content Filter Blocks Detected - AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request --- ...ock_guardrails_multiple_violations_in_single_request.toml | 5 ++++- ...s_bedrock_high_confidence_misconduct_blocks_detected.toml | 3 ++- ...ultiple_sensitive_information_policy_blocks_detected.toml | 3 ++- .../aws_bedrock_multiple_topic_policy_blocks_detected.toml | 3 ++- .../aws_bedrock_multiple_word_policy_blocks_detected.toml | 3 ++- 5 files changed, 12 insertions(+), 5 deletions(-) diff --git a/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_in_single_request.toml b/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_in_single_request.toml index aca56958a4c..1ea547c91c7 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_in_single_request.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_in_single_request.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/02" integration = ["aws_bedrock"] maturity = "production" -updated_date = "2025/09/25" +updated_date = "2025/11/10" [rule] author = ["Elastic"] @@ -83,6 +83,9 @@ type = "esql" query = ''' from logs-aws_bedrock.invocation-* +// Expand multi-value policy action field +| mv_expand gen_ai.policy.action + // Filter for policy-blocked requests | where gen_ai.policy.action == "BLOCKED" diff --git a/rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml b/rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml index 012a1513e2b..f2706780c70 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/05" integration = ["aws_bedrock"] maturity = "production" -updated_date = "2025/09/25" +updated_date = "2025/11/10" [rule] author = ["Elastic"] @@ -86,6 +86,7 @@ from logs-aws_bedrock.invocation-* | mv_expand gen_ai.compliance.violation_code | mv_expand gen_ai.policy.confidence | mv_expand gen_ai.policy.name +| mv_expand gen_ai.policy.action // Filter for high-confidence content policy blocks with targeted violations | where diff --git a/rules/integrations/aws_bedrock/aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml b/rules/integrations/aws_bedrock/aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml index d234050c420..2e665685b4f 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/20" integration = ["aws_bedrock"] maturity = "production" -updated_date = "2025/09/25" +updated_date = "2025/11/10" [rule] author = ["Elastic"] @@ -83,6 +83,7 @@ from logs-aws_bedrock.invocation-* // Expand multi-valued policy name field | mv_expand gen_ai.policy.name +| mv_expand gen_ai.policy.action // Filter for blocked actions related to sensitive info policy | where diff --git a/rules/integrations/aws_bedrock/aws_bedrock_multiple_topic_policy_blocks_detected.toml b/rules/integrations/aws_bedrock/aws_bedrock_multiple_topic_policy_blocks_detected.toml index 7077e28380c..c98ff4ef1f5 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_multiple_topic_policy_blocks_detected.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_multiple_topic_policy_blocks_detected.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/20" integration = ["aws_bedrock"] maturity = "production" -updated_date = "2025/09/25" +updated_date = "2025/11/10" [rule] author = ["Elastic"] @@ -83,6 +83,7 @@ from logs-aws_bedrock.invocation-* // Expand multi-value policy name field | mv_expand gen_ai.policy.name +| mv_expand gen_ai.policy.action // Filter for blocked topic policy violations | where diff --git a/rules/integrations/aws_bedrock/aws_bedrock_multiple_word_policy_blocks_detected.toml b/rules/integrations/aws_bedrock/aws_bedrock_multiple_word_policy_blocks_detected.toml index 698379c8b10..e59b0217bfd 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_multiple_word_policy_blocks_detected.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_multiple_word_policy_blocks_detected.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/20" integration = ["aws_bedrock"] maturity = "production" -updated_date = "2025/09/25" +updated_date = "2025/11/10" [rule] author = ["Elastic"] @@ -83,6 +83,7 @@ from logs-aws_bedrock.invocation-* // Expand multivalued policy names | mv_expand gen_ai.policy.name +| mv_expand gen_ai.policy.action // Filter for blocked profanity-related policy violations | where