elastic · shashank-elastic · Nov 11, 2025 · Nov 10, 2025 · Nov 11, 2025
diff --git a/...ntegrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_in_single_request.toml b/...ntegrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_in_single_request.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/05/02"
 integration = ["aws_bedrock"]
 maturity = "production"
-updated_date = "2025/09/25"
+updated_date = "2025/11/10"
 
 [rule]
 author = ["Elastic"]
@@ -83,6 +83,9 @@ type = "esql"
 query = '''
 from logs-aws_bedrock.invocation-*
 
+// Expand multi-value policy action field
+| mv_expand gen_ai.policy.action
+
 // Filter for policy-blocked requests
 | where gen_ai.policy.action == "BLOCKED"
 

diff --git a/rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml b/rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/05/05"
 integration = ["aws_bedrock"]
 maturity = "production"
-updated_date = "2025/09/25"
+updated_date = "2025/11/10"
 
 [rule]
 author = ["Elastic"]
@@ -86,6 +86,7 @@ from logs-aws_bedrock.invocation-*
 | mv_expand gen_ai.compliance.violation_code
 | mv_expand gen_ai.policy.confidence
 | mv_expand gen_ai.policy.name
+| mv_expand gen_ai.policy.action
 
 // Filter for high-confidence content policy blocks with targeted violations
 | where

diff --git a/...ations/aws_bedrock/aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml b/...ations/aws_bedrock/aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/11/20"
 integration = ["aws_bedrock"]
 maturity = "production"
-updated_date = "2025/09/25"
+updated_date = "2025/11/10"
 
 [rule]
 author = ["Elastic"]
@@ -83,6 +83,7 @@ from logs-aws_bedrock.invocation-*
 
 // Expand multi-valued policy name field
 | mv_expand gen_ai.policy.name
+| mv_expand gen_ai.policy.action
 
 // Filter for blocked actions related to sensitive info policy
 | where

diff --git a/rules/integrations/aws_bedrock/aws_bedrock_multiple_topic_policy_blocks_detected.toml b/rules/integrations/aws_bedrock/aws_bedrock_multiple_topic_policy_blocks_detected.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/11/20"
 integration = ["aws_bedrock"]
 maturity = "production"
-updated_date = "2025/09/25"
+updated_date = "2025/11/10"
 
 [rule]
 author = ["Elastic"]
@@ -83,6 +83,7 @@ from logs-aws_bedrock.invocation-*
 
 // Expand multi-value policy name field
 | mv_expand gen_ai.policy.name
+| mv_expand gen_ai.policy.action
 
 // Filter for blocked topic policy violations
 | where

diff --git a/rules/integrations/aws_bedrock/aws_bedrock_multiple_word_policy_blocks_detected.toml b/rules/integrations/aws_bedrock/aws_bedrock_multiple_word_policy_blocks_detected.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/11/20"
 integration = ["aws_bedrock"]
 maturity = "production"
-updated_date = "2025/09/25"
+updated_date = "2025/11/10"
 
 [rule]
 author = ["Elastic"]
@@ -83,6 +83,7 @@ from logs-aws_bedrock.invocation-*
 
 // Expand multivalued policy names
 | mv_expand gen_ai.policy.name
+| mv_expand gen_ai.policy.action
 
 // Filter for blocked profanity-related policy violations
 | where