From be656ae7400a2e64823986259914de82a6e0790d Mon Sep 17 00:00:00 2001
From: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Date: Wed, 23 Oct 2024 20:48:56 +0530
Subject: [PATCH] Tune Bedrock rule to accept multivalued column (#4205)

---
 ...edrock_high_confidence_misconduct_blocks_detected.toml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml b/rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml
index a9f0af336..8ffa79247 100644
--- a/rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml
+++ b/rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2024/05/05"
 maturity = "production"
-updated_date = "2024/10/09"
+updated_date = "2024/10/23"
 min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully; integration in tech preview"
 min_stack_version = "8.13.0"
 
@@ -45,8 +45,10 @@ type = "esql"
 
 query = '''
 from logs-aws_bedrock.invocation-*
-| where gen_ai.policy.confidence == "HIGH" and gen_ai.policy.action == "BLOCKED" and gen_ai.compliance.violation_code == "MISCONDUCT"
-| keep gen_ai.policy.confidence, gen_ai.policy.action, gen_ai.compliance.violation_code, user.id
+| MV_EXPAND gen_ai.compliance.violation_code
+| MV_EXPAND gen_ai.policy.confidence
+| where gen_ai.policy.action == "BLOCKED" and gen_ai.policy.confidence LIKE "HIGH" and gen_ai.compliance.violation_code LIKE "MISCONDUCT"
+| keep user.id
 | stats high_confidence_blocks = count() by user.id
 | where high_confidence_blocks > 5
 | sort high_confidence_blocks desc