security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Tuning] Add mv_expand for gen_ai.policy.action field (#5296)

Browse Source 
Resolves #5202
Resolves #5203
Resolves #5204

The gen_ai.policy.action field is an array, so an additional mv_expand
is necessary for the rules to work correctly with AWS Bedrock integration
events that contain multiple policy actions.

Updated rules:
- Unusual High Word Policy Blocks Detected
- Unusual High Denied Topic Blocks Detected
- Unusual High Denied Sensitive Information Policy Blocks Detected
- Unusual High Confidence Content Filter Blocks Detected
- AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
This commit is contained in:
Mika Ayenson, PhD
2025-11-10 20:07:40 -06:00
committed by GitHub
parent 34bd88a37e
commit 4e1c8f677c
5 changed files with 12 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_in_single_request.toml
+4 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2024/05/02"
integration = ["aws_bedrock"]
maturity = "production"
updated_date = "2025/09/25"
updated_date = "2025/11/10"
[rule]
author = ["Elastic"]
@@ -83,6 +83,9 @@ type = "esql"
query = '''
from logs-aws_bedrock.invocation-*
// Expand multi-value policy action field
| mv_expand gen_ai.policy.action
// Filter for policy-blocked requests
| where gen_ai.policy.action == "BLOCKED"
rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml
+2 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2024/05/05"
integration = ["aws_bedrock"]
maturity = "production"
updated_date = "2025/09/25"
updated_date = "2025/11/10"
[rule]
author = ["Elastic"]
@@ -86,6 +86,7 @@ from logs-aws_bedrock.invocation-*
| mv_expand gen_ai.compliance.violation_code
| mv_expand gen_ai.policy.confidence
| mv_expand gen_ai.policy.name
| mv_expand gen_ai.policy.action
// Filter for high-confidence content policy blocks with targeted violations
| where
rules/integrations/aws_bedrock/aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml
+2 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2024/11/20"
integration = ["aws_bedrock"]
maturity = "production"
updated_date = "2025/09/25"
updated_date = "2025/11/10"
[rule]
author = ["Elastic"]
@@ -83,6 +83,7 @@ from logs-aws_bedrock.invocation-*
// Expand multi-valued policy name field
| mv_expand gen_ai.policy.name
| mv_expand gen_ai.policy.action
// Filter for blocked actions related to sensitive info policy
| where
rules/integrations/aws_bedrock/aws_bedrock_multiple_topic_policy_blocks_detected.toml
+2 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2024/11/20"
integration = ["aws_bedrock"]
maturity = "production"
updated_date = "2025/09/25"
updated_date = "2025/11/10"
[rule]
author = ["Elastic"]
@@ -83,6 +83,7 @@ from logs-aws_bedrock.invocation-*
// Expand multi-value policy name field
| mv_expand gen_ai.policy.name
| mv_expand gen_ai.policy.action
// Filter for blocked topic policy violations
| where
rules/integrations/aws_bedrock/aws_bedrock_multiple_word_policy_blocks_detected.toml
+2 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2024/11/20"
integration = ["aws_bedrock"]
maturity = "production"
updated_date = "2025/09/25"
updated_date = "2025/11/10"
[rule]
author = ["Elastic"]
@@ -83,6 +83,7 @@ from logs-aws_bedrock.invocation-*
// Expand multivalued policy names
| mv_expand gen_ai.policy.name
| mv_expand gen_ai.policy.action
// Filter for blocked profanity-related policy violations
| where