Elastic Security Detection Rules

AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request

Last updated a month ago on 2025-07-16
Created a year ago on 2024-05-02

About

Identifies multiple violations of AWS Bedrock guardrails within a single request, resulting in a block action, increasing the likelihood of malicious intent. Multiple violations implies that a user may be intentionally attempting to cirvumvent security controls, access sensitive information, or possibly exploit a vulnerability in the system.
Tags
Domain: LLMData Source: AWS BedrockData Source: AWS S3Use Case: Policy ViolationMitre Atlas: T0051Mitre Atlas: T0054Language: esql
Severity
low
Risk Score
21
False Positive Examples
Legitimate misunderstanding by users or overly strict policies
License
Elastic License v2(opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

(opens in a new tab or window)

Query
from logs-aws_bedrock.invocation-*

// Filter for policy-blocked requests
| where gen_ai.policy.action == "BLOCKED"

// count number of policy matches per request (multi-valued)
| eval Esql.ml_policy_violations_mv_count = mv_count(gen_ai.policy.name)

// Filter for requests with more than one policy match
| where Esql.ml_policy_violations_mv_count > 1

// keep relevant fields
| keep
  gen_ai.policy.action,
  Esql.ml_policy_violations_mv_count,
  user.id,
  gen_ai.request.model.id,
  cloud.account.id

// Aggregate requests with multiple violations
| stats
    Esql.ml_policy_violations_total_unique_requests_count = count(*)
  by
    Esql.ml_policy_violations_mv_count,
    user.id,
    gen_ai.request.model.id,
    cloud.account.id

// sort by number of unique requests
| sort Esql.ml_policy_violations_total_unique_requests_count desc

Install detection rules in Elastic Security

Detect AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).