from logs-aws_bedrock.invocation-*
// Create 1-minute time buckets
| eval Esql.time_window_date_trunc = date_trunc(1 minute, @timestamp)
// Filter for invocations without guardrails
| where gen_ai.guardrail_id is null and user.id is not null
// keep only relevant fields
| keep
@timestamp,
Esql.time_window_date_trunc,
gen_ai.guardrail_id,
user.id
// count number of unsafe invocations per user
| stats
Esql.ml_invocations_no_guardrails_count = count()
by user.id
// Filter for suspicious volume
| where Esql.ml_invocations_no_guardrails_count > 5
// sort descending
| sort Esql.ml_invocations_no_guardrails_count desc
Install detection rules in Elastic Security
Detect AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).