Unusual High Denied Sensitive Information Policy Blocks Detected
Detects repeated compliance violation 'BLOCKED' actions coupled with specific policy name such as 'sensitive_information_policy', indicating persistent misuse or attempts to probe the model's denied topics.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/11/20"
3maturity = "production"
4updated_date = "2025/03/20"
5
6[rule]
7author = ["Elastic"]
8description = """
9Detects repeated compliance violation 'BLOCKED' actions coupled with specific policy name such as
10'sensitive_information_policy', indicating persistent misuse or attempts to probe the model's denied topics.
11"""
12false_positives = ["New model deployments.", "Testing updates to compliance policies."]
13from = "now-60m"
14interval = "10m"
15language = "esql"
16license = "Elastic License v2"
17name = "Unusual High Denied Sensitive Information Policy Blocks Detected"
18note = """## Triage and analysis
19
20### Investigating Unusual High Denied Sensitive Information Policy Blocks Detected
21
22Amazon Bedrock Guardrail is a set of features within Amazon Bedrock designed to help businesses apply robust safety and privacy controls to their generative AI applications.
23
24It enables users to set guidelines and filters that manage content quality, relevancy, and adherence to responsible AI practices.
25
26Through Guardrail, organizations can define "sensitive information filters" to prevent the model from generating content on specific, undesired subjects,
27and they can establish thresholds for harmful content categories.
28
29#### Possible investigation steps
30
31- Identify the user account that queried sensitive information and whether it should perform this kind of action.
32- Investigate other alerts associated with the user account during the past 48 hours.
33- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?
34- Examine the account's prompts and responses in the last 24 hours.
35- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.
36
37### False positive analysis
38
39- Verify the user account that queried denied topics, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails.
40
41### Response and remediation
42
43- Initiate the incident response process based on the outcome of the triage.
44- Disable or limit the account during the investigation and response.
45- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
46 - Identify the account role in the cloud environment.
47 - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.
48 - Identify any regulatory or legal ramifications related to this activity.
49- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.
50- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
51- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
52"""
53references = [
54 "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html",
55 "https://atlas.mitre.org/techniques/AML.T0051",
56 "https://atlas.mitre.org/techniques/AML.T0054",
57 "https://www.elastic.co/security-labs/elastic-advances-llm-security",
58]
59risk_score = 47
60rule_id = "0e1af929-42ed-4262-a846-55a7c54e7c84"
61setup = """## Setup
62
63This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:
64
65https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html
66"""
67severity = "medium"
68tags = [
69 "Domain: LLM",
70 "Data Source: AWS Bedrock",
71 "Data Source: AWS S3",
72 "Use Case: Policy Violation",
73 "Mitre Atlas: T0051",
74 "Mitre Atlas: T0054",
75 "Resources: Investigation Guide",
76]
77timestamp_override = "event.ingested"
78type = "esql"
79
80query = '''
81from logs-aws_bedrock.invocation-*
82| MV_EXPAND gen_ai.policy.name
83| where gen_ai.policy.action == "BLOCKED" and gen_ai.compliance.violation_detected == "true" and gen_ai.policy.name == "sensitive_information_policy"
84| keep user.id
85| stats sensitive_information_block = count() by user.id
86| where sensitive_information_block > 5
87| sort sensitive_information_block desc
88'''
Triage and analysis
Investigating Unusual High Denied Sensitive Information Policy Blocks Detected
Amazon Bedrock Guardrail is a set of features within Amazon Bedrock designed to help businesses apply robust safety and privacy controls to their generative AI applications.
It enables users to set guidelines and filters that manage content quality, relevancy, and adherence to responsible AI practices.
Through Guardrail, organizations can define "sensitive information filters" to prevent the model from generating content on specific, undesired subjects, and they can establish thresholds for harmful content categories.
Possible investigation steps
- Identify the user account that queried sensitive information and whether it should perform this kind of action.
- Investigate other alerts associated with the user account during the past 48 hours.
- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?
- Examine the account's prompts and responses in the last 24 hours.
- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.
False positive analysis
- Verify the user account that queried denied topics, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails.
Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Disable or limit the account during the investigation and response.
- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
- Identify the account role in the cloud environment.
- Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.
- Identify any regulatory or legal ramifications related to this activity.
- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.
- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
References
-
-
Discover Elastic’s latest advancements in LLM security, focusing on standardized field integrations and enhanced detection capabilities. Learn how adopting these standards can safeguard your systems.
Read More
Related rules
- AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request
- AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session
- AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session
- Unusual High Confidence Content Filter Blocks Detected
- Unusual High Denied Topic Blocks Detected