Unusual High Denied Sensitive Information Policy Blocks Detected

Last updated a month ago on 2025-07-16

Created 9 months ago on 2024-11-20

About

Detects repeated compliance violation 'BLOCKED' actions coupled with specific policy name such as 'sensitive_information_policy', indicating persistent misuse or attempts to probe the model's denied topics.

Tags: Domain: LLMData Source: AWS BedrockData Source: AWS S3Use Case: Policy ViolationMitre Atlas: T0051Mitre Atlas: T0054Language: esql
Severity: medium
Risk Score: 47
False Positive Examples: New model deployments.Testing updates to compliance policies.
License: Elastic License v2(opens in a new tab or window)

Definition

Integration Pack: Prebuilt Security Detection Rules
Related Integrations: (opens in a new tab or window)
Query

from logs-aws_bedrock.invocation-*

// Expand multi-valued policy name field
| mv_expand gen_ai.policy.name

// Filter for blocked actions related to sensitive info policy
| where
  gen_ai.policy.action == "BLOCKED"
  and gen_ai.compliance.violation_detected == "true"
  and gen_ai.policy.name == "sensitive_information_policy"

// keep only relevant fields
| keep user.id

// count how many times each user triggered a sensitive info block
| stats
    Esql.ml_policy_blocked_sensitive_info_count = count()
  by user.id

// Filter for users with more than 5 violations
| where Esql.ml_policy_blocked_sensitive_info_count > 5

// sort highest to lowest
| sort Esql.ml_policy_blocked_sensitive_info_count desc

Install detection rules in Elastic Security

Detect Unusual High Denied Sensitive Information Policy Blocks Detected in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).