nldcsc-elastic-rules 0.0.8__py3-none-any.whl

nldcsc_elastic_rules/rules/integrations/aws_bedrock/aws_bedrock_high_resource_consumption_detection.toml

@@ -0,0 +1,117 @@
+[metadata]
+creation_date = "2024/05/04"
+integration = ["aws_bedrock"]
+maturity = "production"
+updated_date = "2025/09/25"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects potential resource exhaustion or data breach attempts by monitoring for users who consistently generate high
+input token counts, submit numerous requests, and receive large responses. This behavior could indicate an attempt to
+overload the system or extract an unusually large amount of data, possibly revealing sensitive information or causing
+service disruptions.
+"""
+false_positives = ["Authorized heavy usage of the system that is business justified and monitored."]
+from = "now-60m"
+interval = "10m"
+language = "esql"
+license = "Elastic License v2"
+name = "Potential Abuse of Resources by High Token Count and Large Response Sizes"
+note = """## Triage and analysis
+
+### Investigating Potential Abuse of Resources by High Token Count and Large Response Sizes
+
+Amazon Bedrock is AWS’s managed service that enables developers to build and scale generative AI applications using large foundation models (FMs) from top providers.
+
+Bedrock offers a variety of pretrained models from Amazon (such as the Titan series), as well as models from providers like Anthropic, Meta, Cohere, and AI21 Labs.
+
+#### Possible investigation steps
+
+- Identify the user account that used high prompt token counts and whether it should perform this kind of action.
+- Investigate large response sizes and the number of requests made by the user account.
+- Investigate other alerts associated with the user account during the past 48 hours.
+- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?
+- Examine the account's prompts and responses in the last 24 hours.
+- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.
+
+### False positive analysis
+
+- Verify the user account that used high prompt and large response sizes, has a business justification for the heavy usage of the system.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Disable or limit the account during the investigation and response.
+- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
+    - Identify the account role in the cloud environment.
+    - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.
+    - Identify any regulatory or legal ramifications related to this activity.
+    - Identify potential resource exhaustion and impact on billing.
+- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+"""
+references = [
+    "https://atlas.mitre.org/techniques/AML.T0051",
+    "https://owasp.org/www-project-top-10-for-large-language-model-applications/",
+    "https://www.elastic.co/security-labs/elastic-advances-llm-security",
+]
+risk_score = 47
+rule_id = "b1773d05-f349-45fb-9850-287b8f92f02d"
+setup = """## Setup
+
+This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:
+
+https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html
+"""
+severity = "medium"
+tags = [
+    "Domain: LLM",
+    "Data Source: AWS Bedrock",
+    "Data Source: Amazon Web Services",
+    "Data Source: AWS S3",
+    "Use Case: Potential Overload",
+    "Use Case: Resource Exhaustion",
+    "Mitre Atlas: LLM04",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+from logs-aws_bedrock.invocation-*
+
+// keep token usage data
+| keep
+  user.id,
+  gen_ai.usage.prompt_tokens,
+  gen_ai.usage.completion_tokens
+
+// Aggregate usage metrics
+| stats
+    Esql.ml_usage_prompt_tokens_max = max(gen_ai.usage.prompt_tokens),
+    Esql.ml_invocations_total_count = count(*),
+    Esql.ml_usage_completion_tokens_avg = avg(gen_ai.usage.completion_tokens)
+  by
+    user.id
+
+// Filter for suspicious usage patterns
+| where
+  Esql.ml_usage_prompt_tokens_max > 5000
+  and Esql.ml_invocations_total_count > 10
+  and Esql.ml_usage_completion_tokens_avg > 500
+
+// Calculate a custom risk factor
+| eval Esql.ml_risk_score =
+    (Esql.ml_usage_prompt_tokens_max / 1000) *
+    Esql.ml_invocations_total_count *
+    (Esql.ml_usage_completion_tokens_avg / 500)
+
+// Filter on risk score
+| where Esql.ml_risk_score > 10
+
+// sort high risk users to top
+| sort Esql.ml_risk_score desc
+'''
+

nldcsc_elastic_rules/rules/integrations/aws_bedrock/aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml

@@ -0,0 +1,111 @@
+[metadata]
+creation_date = "2024/05/02"
+integration = ["aws_bedrock"]
+maturity = "production"
+updated_date = "2025/09/25"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies multiple successive failed attempts to use denied model resources within AWS Bedrock. This could indicated
+attempts to bypass limitations of other approved models, or to force an impact on the environment by incurring
+exhorbitant costs.
+"""
+false_positives = ["Legitimate misunderstanding by users or overly strict policies"]
+from = "now-60m"
+interval = "10m"
+language = "esql"
+license = "Elastic License v2"
+name = "AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User"
+note = """## Triage and analysis
+
+### Investigating AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User
+
+Amazon Bedrock is AWS’s managed service that enables developers to build and scale generative AI applications using large foundation models (FMs) from top providers.
+
+Bedrock offers a variety of pretrained models from Amazon (such as the Titan series), as well as models from providers like Anthropic, Meta, Cohere, and AI21 Labs.
+
+#### Possible investigation steps
+
+- Identify the user account that attempted to use denied models.
+- Investigate other alerts associated with the user account during the past 48 hours.
+- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?
+- Examine the account's attempts to access Amazon Bedrock models in the last 24 hours.
+- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.
+
+### False positive analysis
+
+- Verify the user account that attempted to use denied models, is a legitimate misunderstanding by users or overly strict policies.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Disable or limit the account during the investigation and response.
+- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
+    - Identify the account role in the cloud environment.
+    - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.
+    - Identify any regulatory or legal ramifications related to this activity.
+- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+"""
+references = [
+    "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html",
+    "https://atlas.mitre.org/techniques/AML.T0015",
+    "https://atlas.mitre.org/techniques/AML.T0034",
+    "https://www.elastic.co/security-labs/elastic-advances-llm-security",
+]
+risk_score = 73
+rule_id = "17261da3-a6d0-463c-aac8-ea1718afcd20"
+setup = """## Setup
+
+This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:
+
+https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html
+"""
+severity = "high"
+tags = [
+    "Domain: LLM",
+    "Data Source: AWS Bedrock",
+    "Data Source: AWS S3",
+    "Resources: Investigation Guide",
+    "Use Case: Policy Violation",
+    "Mitre Atlas: T0015",
+    "Mitre Atlas: T0034",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+from logs-aws_bedrock.invocation-*
+
+// Filter for access denied errors from GenAI responses
+| where gen_ai.response.error_code == "AccessDeniedException"
+
+// keep ECS and response fields
+| keep
+  user.id,
+  gen_ai.request.model.id,
+  cloud.account.id,
+  gen_ai.response.error_code
+
+// count total denials per user/model/account
+| stats
+    Esql.ml_response_access_denied_count = count(*)
+  by
+    user.id,
+    gen_ai.request.model.id,
+    cloud.account.id
+
+// Filter for users with repeated denials
+| where Esql.ml_response_access_denied_count > 3
+
+// sort by volume of denials
+| sort Esql.ml_response_access_denied_count desc
+'''
+
+
+
+[rule.investigation_fields]
+field_names = ["user.id", "cloud.account.id", "gen_ai.request.model.id", "total_denials"]
+

nldcsc_elastic_rules/rules/integrations/aws_bedrock/aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml

@@ -0,0 +1,108 @@
+[metadata]
+creation_date = "2024/11/20"
+integration = ["aws_bedrock"]
+maturity = "production"
+updated_date = "2025/11/10"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects repeated compliance violation 'BLOCKED' actions coupled with specific policy name such as
+'sensitive_information_policy', indicating persistent misuse or attempts to probe the model's denied topics.
+"""
+false_positives = ["New model deployments.", "Testing updates to compliance policies."]
+from = "now-60m"
+interval = "10m"
+language = "esql"
+license = "Elastic License v2"
+name = "Unusual High Denied Sensitive Information Policy Blocks Detected"
+note = """## Triage and analysis
+
+### Investigating Unusual High Denied Sensitive Information Policy Blocks Detected
+
+Amazon Bedrock Guardrail is a set of features within Amazon Bedrock designed to help businesses apply robust safety and privacy controls to their generative AI applications.
+
+It enables users to set guidelines and filters that manage content quality, relevancy, and adherence to responsible AI practices.
+
+Through Guardrail, organizations can define "sensitive information filters" to prevent the model from generating content on specific, undesired subjects,
+and they can establish thresholds for harmful content categories.
+
+#### Possible investigation steps
+
+- Identify the user account that queried sensitive information and whether it should perform this kind of action.
+- Investigate other alerts associated with the user account during the past 48 hours.
+- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?
+- Examine the account's prompts and responses in the last 24 hours.
+- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.
+
+### False positive analysis
+
+- Verify the user account that queried denied topics, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Disable or limit the account during the investigation and response.
+- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
+    - Identify the account role in the cloud environment.
+    - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.
+    - Identify any regulatory or legal ramifications related to this activity.
+- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+"""
+references = [
+    "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html",
+    "https://atlas.mitre.org/techniques/AML.T0051",
+    "https://atlas.mitre.org/techniques/AML.T0054",
+    "https://www.elastic.co/security-labs/elastic-advances-llm-security",
+]
+risk_score = 47
+rule_id = "0e1af929-42ed-4262-a846-55a7c54e7c84"
+setup = """## Setup
+
+This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:
+
+https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html
+"""
+severity = "medium"
+tags = [
+    "Domain: LLM",
+    "Data Source: AWS Bedrock",
+    "Data Source: AWS S3",
+    "Use Case: Policy Violation",
+    "Mitre Atlas: T0051",
+    "Mitre Atlas: T0054",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+from logs-aws_bedrock.invocation-*
+
+// Expand multi-valued policy name field
+| mv_expand gen_ai.policy.name
+| mv_expand gen_ai.policy.action
+
+// Filter for blocked actions related to sensitive info policy
+| where
+  gen_ai.policy.action == "BLOCKED"
+  and gen_ai.compliance.violation_detected == "true"
+  and gen_ai.policy.name == "sensitive_information_policy"
+
+// keep only relevant fields
+| keep user.id
+
+// count how many times each user triggered a sensitive info block
+| stats
+    Esql.ml_policy_blocked_sensitive_info_count = count()
+  by user.id
+
+// Filter for users with more than 5 violations
+| where Esql.ml_policy_blocked_sensitive_info_count > 5
+
+// sort highest to lowest
+| sort Esql.ml_policy_blocked_sensitive_info_count desc
+'''
+

nldcsc_elastic_rules/rules/integrations/aws_bedrock/aws_bedrock_multiple_topic_policy_blocks_detected.toml

@@ -0,0 +1,108 @@
+[metadata]
+creation_date = "2024/11/20"
+integration = ["aws_bedrock"]
+maturity = "production"
+updated_date = "2025/11/10"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects repeated compliance violation 'BLOCKED' actions coupled with specific policy name such as 'topic_policy',
+indicating persistent misuse or attempts to probe the model's denied topics.
+"""
+false_positives = ["New model deployments.", "Testing updates to compliance policies."]
+from = "now-60m"
+interval = "10m"
+language = "esql"
+license = "Elastic License v2"
+name = "Unusual High Denied Topic Blocks Detected"
+note = """## Triage and analysis
+
+### Investigating Unusual High Denied Topic Blocks Detected
+
+Amazon Bedrock Guardrail is a set of features within Amazon Bedrock designed to help businesses apply robust safety and privacy controls to their generative AI applications.
+
+It enables users to set guidelines and filters that manage content quality, relevancy, and adherence to responsible AI practices.
+
+Through Guardrail, organizations can define "denied topics" to prevent the model from generating content on specific, undesired subjects,
+and they can establish thresholds for harmful content categories, including hate speech, violence, or offensive language.
+
+#### Possible investigation steps
+
+- Identify the user account that queried denied topics and whether it should perform this kind of action.
+- Investigate other alerts associated with the user account during the past 48 hours.
+- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?
+- Examine the account's prompts and responses in the last 24 hours.
+- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.
+
+### False positive analysis
+
+- Verify the user account that queried denied topics, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Disable or limit the account during the investigation and response.
+- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
+    - Identify the account role in the cloud environment.
+    - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.
+    - Identify any regulatory or legal ramifications related to this activity.
+- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+"""
+references = [
+    "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html",
+    "https://atlas.mitre.org/techniques/AML.T0051",
+    "https://atlas.mitre.org/techniques/AML.T0054",
+    "https://www.elastic.co/security-labs/elastic-advances-llm-security",
+]
+risk_score = 47
+rule_id = "266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73"
+setup = """## Setup
+
+This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:
+
+https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html
+"""
+severity = "medium"
+tags = [
+    "Domain: LLM",
+    "Data Source: AWS Bedrock",
+    "Data Source: AWS S3",
+    "Use Case: Policy Violation",
+    "Mitre Atlas: T0051",
+    "Mitre Atlas: T0054",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+from logs-aws_bedrock.invocation-*
+
+// Expand multi-value policy name field
+| mv_expand gen_ai.policy.name
+| mv_expand gen_ai.policy.action
+
+// Filter for blocked topic policy violations
+| where
+  gen_ai.policy.action == "BLOCKED"
+  and gen_ai.compliance.violation_detected == "true"
+  and gen_ai.policy.name == "topic_policy"
+
+// keep only user info
+| keep user.id
+
+// count how many times each user triggered a blocked topic policy
+| stats
+    Esql.ml_policy_blocked_topic_count = count()
+  by user.id
+
+// Filter for excessive violations
+| where Esql.ml_policy_blocked_topic_count > 5
+
+// sort highest to lowest
+| sort Esql.ml_policy_blocked_topic_count desc
+'''
+

nldcsc_elastic_rules/rules/integrations/aws_bedrock/aws_bedrock_multiple_validation_exception_errors_by_single_user.toml

@@ -0,0 +1,117 @@
+[metadata]
+creation_date = "2024/09/11"
+integration = ["aws_bedrock"]
+maturity = "production"
+updated_date = "2025/07/16"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies multiple validation exeception errors within AWS Bedrock. Validation errors occur when you run the
+InvokeModel or InvokeModelWithResponseStream APIs on a foundation model that uses an incorrect inference parameter or
+corresponding value. These errors also occur when you use an inference parameter for one model with a model that doesn't
+have the same API parameter. This could indicate attempts to bypass limitations of other approved models, or to force an
+impact on the environment by incurring exhorbitant costs.
+"""
+false_positives = ["Legitimate misunderstanding by users on accessing the bedrock models."]
+from = "now-60m"
+interval = "10m"
+language = "esql"
+license = "Elastic License v2"
+name = "AWS Bedrock Detected Multiple Validation Exception Errors by a Single User"
+note = """## Triage and analysis
+
+### Investigating AWS Bedrock Detected Multiple Validation Exception Errors by a Single User
+
+Amazon Bedrock is AWS’s managed service that enables developers to build and scale generative AI applications using large foundation models (FMs) from top providers.
+
+Bedrock offers a variety of pretrained models from Amazon (such as the Titan series), as well as models from providers like Anthropic, Meta, Cohere, and AI21 Labs.
+
+#### Possible investigation steps
+
+- Identify the user account that caused validation errors in accessing the Amazon Bedrock models.
+- Investigate other alerts associated with the user account during the past 48 hours.
+- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?
+- Examine the account's attempts to access Amazon Bedrock models in the last 24 hours.
+- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.
+
+### False positive analysis
+
+- Verify the user account that that caused validation errors is a legitimate misunderstanding by users on accessing the bedrock models.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Disable or limit the account during the investigation and response.
+- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
+    - Identify the account role in the cloud environment.
+    - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.
+    - Identify any regulatory or legal ramifications related to this activity.
+    - Identify if any implication to resource billing.
+- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+"""
+references = [
+    "https://atlas.mitre.org/techniques/AML.T0015",
+    "https://atlas.mitre.org/techniques/AML.T0034",
+    "https://atlas.mitre.org/techniques/AML.T0046",
+    "https://www.elastic.co/security-labs/elastic-advances-llm-security",
+]
+risk_score = 73
+rule_id = "725a048a-88c5-4fc7-8677-a44fc0031822"
+setup = """## Setup
+
+This rule requires that AWS Bedrock Integration be configured. For more information, see the AWS Bedrock integration documentation:
+
+https://www.elastic.co/docs/current/integrations/aws_bedrock
+"""
+severity = "high"
+tags = [
+    "Domain: LLM",
+    "Data Source: AWS",
+    "Data Source: AWS Bedrock",
+    "Data Source: AWS S3",
+    "Use Case: Policy Violation",
+    "Mitre Atlas: T0015",
+    "Mitre Atlas: T0034",
+    "Mitre Atlas: T0046",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+from logs-aws_bedrock.invocation-*
+
+// Truncate timestamp to 1-minute window
+| eval Esql.time_window_date_trunc = date_trunc(1 minutes, @timestamp)
+
+// Filter for validation exceptions in responses
+| where gen_ai.response.error_code == "ValidationException"
+
+// keep relevant ECS and derived fields
+| keep
+  user.id,
+  gen_ai.request.model.id,
+  cloud.account.id,
+  gen_ai.response.error_code,
+  Esql.time_window_date_trunc
+
+// count number of denials by user/account/time window
+| stats
+    Esql.ml_response_validation_error_count = count(*)
+  by
+    Esql.time_window_date_trunc,
+    user.id,
+    cloud.account.id
+
+// Filter for excessive errors
+| where Esql.ml_response_validation_error_count > 3
+'''
+
+
+
+[rule.investigation_fields]
+field_names = ["target_time_window", "user.id", "cloud.account.id", "total_denials"]
+

nldcsc_elastic_rules/rules/integrations/aws_bedrock/aws_bedrock_multiple_word_policy_blocks_detected.toml

@@ -0,0 +1,108 @@
+[metadata]
+creation_date = "2024/11/20"
+integration = ["aws_bedrock"]
+maturity = "production"
+updated_date = "2025/11/10"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects repeated compliance violation 'BLOCKED' actions coupled with specific policy name such as 'word_policy',
+indicating persistent misuse or attempts to probe the model's denied topics.
+"""
+false_positives = ["New model deployments.", "Testing updates to compliance policies."]
+from = "now-60m"
+interval = "10m"
+language = "esql"
+license = "Elastic License v2"
+name = "Unusual High Word Policy Blocks Detected"
+note = """## Triage and analysis
+
+### Investigating Unusual High Word Policy Blocks Detected
+
+Amazon Bedrock Guardrail is a set of features within Amazon Bedrock designed to help businesses apply robust safety and privacy controls to their generative AI applications.
+
+It enables users to set guidelines and filters that manage content quality, relevancy, and adherence to responsible AI practices.
+
+Through Guardrail, organizations can define "word filters" to prevent the model from generating content on profanity, undesired subjects,
+and they can establish thresholds for harmful content categories, including hate speech, violence, or offensive language.
+
+#### Possible investigation steps
+
+- Identify the user account whose prompts contained profanity and whether it should perform this kind of action.
+- Investigate other alerts associated with the user account during the past 48 hours.
+- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?
+- Examine the account's prompts and responses in the last 24 hours.
+- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.
+
+### False positive analysis
+
+- Verify the user account that queried denied topics, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Disable or limit the account during the investigation and response.
+- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
+    - Identify the account role in the cloud environment.
+    - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.
+    - Identify any regulatory or legal ramifications related to this activity.
+- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+"""
+references = [
+    "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html",
+    "https://atlas.mitre.org/techniques/AML.T0051",
+    "https://atlas.mitre.org/techniques/AML.T0054",
+    "https://www.elastic.co/security-labs/elastic-advances-llm-security",
+]
+risk_score = 47
+rule_id = "3216949c-9300-4c53-b57a-221e364c6457"
+setup = """## Setup
+
+This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:
+
+https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html
+"""
+severity = "medium"
+tags = [
+    "Domain: LLM",
+    "Data Source: AWS Bedrock",
+    "Data Source: AWS S3",
+    "Use Case: Policy Violation",
+    "Mitre Atlas: T0051",
+    "Mitre Atlas: T0054",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+from logs-aws_bedrock.invocation-*
+
+// Expand multivalued policy names
+| mv_expand gen_ai.policy.name
+| mv_expand gen_ai.policy.action
+
+// Filter for blocked profanity-related policy violations
+| where
+  gen_ai.policy.action == "BLOCKED"
+  and gen_ai.compliance.violation_detected == "true"
+  and gen_ai.policy.name == "word_policy"
+
+// keep relevant user field
+| keep user.id
+
+// count blocked profanity attempts per user
+| stats
+    Esql.ml_policy_blocked_profanity_count = count()
+  by user.id
+
+// Filter for excessive policy violations
+| where Esql.ml_policy_blocked_profanity_count > 5
+
+// sort by violation volume
+| sort Esql.ml_policy_blocked_profanity_count desc
+'''
+