from logs-aws_bedrock.invocation-*
// Filter for compliance violations detected
| where gen_ai.compliance.violation_detected
// keep relevant ECS + model fields
| keep
user.id,
gen_ai.request.model.id,
cloud.account.id
// count violations by user, model, and account
| stats
Esql.ml_violations_count = count(*)
by
user.id,
gen_ai.request.model.id,
cloud.account.id
// Filter for repeated violations
| where Esql.ml_violations_count > 1
// sort descending by violation volume
| sort Esql.ml_violations_count desc
Install detection rules in Elastic Security
Detect AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).