security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Tune Bedrock rule to accept multivalued column (#4205)

Browse Source
This commit is contained in:
shashank-elastic
2024-10-23 20:48:56 +05:30
committed by GitHub
parent 77f0ee85d9
commit be656ae740
1 changed files with 5 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml
+5 -3
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2024/05/05"
maturity = "production"
updated_date = "2024/10/09"
updated_date = "2024/10/23"
min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully; integration in tech preview"
min_stack_version = "8.13.0"
@@ -45,8 +45,10 @@ type = "esql"
query = '''
from logs-aws_bedrock.invocation-*
| where gen_ai.policy.confidence == "HIGH" and gen_ai.policy.action == "BLOCKED" and gen_ai.compliance.violation_code == "MISCONDUCT"
| keep gen_ai.policy.confidence, gen_ai.policy.action, gen_ai.compliance.violation_code, user.id
| MV_EXPAND gen_ai.compliance.violation_code
| MV_EXPAND gen_ai.policy.confidence
| where gen_ai.policy.action == "BLOCKED" and gen_ai.policy.confidence LIKE "HIGH" and gen_ai.compliance.violation_code LIKE "MISCONDUCT"
| keep user.id
| stats high_confidence_blocks = count() by user.id
| where high_confidence_blocks > 5
| sort high_confidence_blocks desc