Unusual High Confidence Misconduct Blocks Detected

Last updated 16 days ago on 2024-11-05

Created 7 months ago on 2024-05-05

About

Detects repeated high-confidence 'BLOCKED' actions coupled with specific violation codes such as 'MISCONDUCT', indicating persistent misuse or attempts to probe the model's ethical boundaries.

Tags: Domain: LLMData Source: AWS BedrockData Source: AWS S3Use Case: Policy ViolationMitre Atlas: T0051Mitre Atlas: T0054
Severity: high
Risk Score: 73
False Positive Examples: New model deployments.Testing updates to compliance policies.
License: Elastic License v2(opens in a new tab or window)

Definition

Integration Pack: Prebuilt Security Detection Rules
Related Integrations: (opens in a new tab or window)
Query

from logs-aws_bedrock.invocation-*
| MV_EXPAND gen_ai.compliance.violation_code
| MV_EXPAND gen_ai.policy.confidence
| where gen_ai.policy.action == "BLOCKED" and gen_ai.policy.confidence LIKE "HIGH" and gen_ai.compliance.violation_code LIKE "MISCONDUCT"
| keep user.id
| stats high_confidence_blocks = count() by user.id
| where high_confidence_blocks > 5
| sort high_confidence_blocks desc

Install detection rules in Elastic Security

Detect Unusual High Confidence Misconduct Blocks Detected in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).