detection.wiki

Detection rules › Elastic

AWS Bedrock Detected Multiple Validation Exception Errors by a Single User

Status
production
Severity
high
Time window
1h
Group by
Esql.time_window_date_trunc, cloud.account.id, user.id
Author
Elastic
Source
github.com/elastic/detection-rules

Identifies multiple validation exeception errors within AWS Bedrock. Validation errors occur when you run the InvokeModel or InvokeModelWithResponseStream APIs on a foundation model that uses an incorrect inference parameter or corresponding value. These errors also occur when you use an inference parameter for one model with a model that doesn't have the same API parameter. This could indicate attempts to bypass limitations of other approved models, or to force an impact on the environment by incurring exhorbitant costs.

MITRE ATLAS coverage

Adversarial-ML threat framework (not MITRE ATT&CK).

TacticTechniques
Initial AccessAML.T0015 Evade AI Model
Defense EvasionAML.T0015 Evade AI Model
ImpactAML.T0015 Evade AI Model, AML.T0034 Cost Harvesting, AML.T0046 Spamming AI System with Chaff Data

Rule body elastic

[metadata]
creation_date = "2024/09/11"
integration = ["aws_bedrock"]
maturity = "production"
updated_date = "2025/07/16"

[rule]
author = ["Elastic"]
description = """
Identifies multiple validation exeception errors within AWS Bedrock. Validation errors occur when you run the
InvokeModel or InvokeModelWithResponseStream APIs on a foundation model that uses an incorrect inference parameter or
corresponding value. These errors also occur when you use an inference parameter for one model with a model that doesn't
have the same API parameter. This could indicate attempts to bypass limitations of other approved models, or to force an
impact on the environment by incurring exhorbitant costs.
"""
false_positives = ["Legitimate misunderstanding by users on accessing the bedrock models."]
from = "now-60m"
interval = "10m"
language = "esql"
license = "Elastic License v2"
name = "AWS Bedrock Detected Multiple Validation Exception Errors by a Single User"
note = """## Triage and analysis

### Investigating AWS Bedrock Detected Multiple Validation Exception Errors by a Single User

Amazon Bedrock is AWS’s managed service that enables developers to build and scale generative AI applications using large foundation models (FMs) from top providers.

Bedrock offers a variety of pretrained models from Amazon (such as the Titan series), as well as models from providers like Anthropic, Meta, Cohere, and AI21 Labs.

#### Possible investigation steps

- Identify the user account that caused validation errors in accessing the Amazon Bedrock models.
- Investigate other alerts associated with the user account during the past 48 hours.
- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?
- Examine the account's attempts to access Amazon Bedrock models in the last 24 hours.
- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.

### False positive analysis

- Verify the user account that that caused validation errors is a legitimate misunderstanding by users on accessing the bedrock models.

### Response and remediation

- Initiate the incident response process based on the outcome of the triage.
- Disable or limit the account during the investigation and response.
- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
    - Identify the account role in the cloud environment.
    - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.
    - Identify any regulatory or legal ramifications related to this activity.
    - Identify if any implication to resource billing.
- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.
- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
"""
references = [
    "https://atlas.mitre.org/techniques/AML.T0015",
    "https://atlas.mitre.org/techniques/AML.T0034",
    "https://atlas.mitre.org/techniques/AML.T0046",
    "https://www.elastic.co/security-labs/elastic-advances-llm-security",
]
risk_score = 73
rule_id = "725a048a-88c5-4fc7-8677-a44fc0031822"
setup = """## Setup

This rule requires that AWS Bedrock Integration be configured. For more information, see the AWS Bedrock integration documentation:

https://www.elastic.co/docs/current/integrations/aws_bedrock
"""
severity = "high"
tags = [
    "Domain: LLM",
    "Data Source: AWS",
    "Data Source: AWS Bedrock",
    "Data Source: AWS S3",
    "Use Case: Policy Violation",
    "Mitre Atlas: T0015",
    "Mitre Atlas: T0034",
    "Mitre Atlas: T0046",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "esql"

query = '''
from logs-aws_bedrock.invocation-*

// Truncate timestamp to 1-minute window
| eval Esql.time_window_date_trunc = date_trunc(1 minutes, @timestamp)

// Filter for validation exceptions in responses
| where gen_ai.response.error_code == "ValidationException"

// keep relevant ECS and derived fields
| keep
  user.id,
  gen_ai.request.model.id,
  cloud.account.id,
  gen_ai.response.error_code,
  Esql.time_window_date_trunc

// count number of denials by user/account/time window
| stats
    Esql.ml_response_validation_error_count = count(*)
  by
    Esql.time_window_date_trunc,
    user.id,
    cloud.account.id

// Filter for excessive errors
| where Esql.ml_response_validation_error_count > 3
'''



[rule.investigation_fields]
field_names = ["target_time_window", "user.id", "cloud.account.id", "total_denials"]

Stages and Predicates

Stage 1: from

from logs-aws_bedrock.invocation-*

Stage 2: eval

| eval Esql.time_window_date_trunc = date_trunc(1 minutes, @timestamp)

Stage 3: where

| where gen_ai.response.error_code == "ValidationException"

Stage 4: keep

| keep
  user.id,
  gen_ai.request.model.id,
  cloud.account.id,
  gen_ai.response.error_code,
  Esql.time_window_date_trunc

Stage 5: stats

| stats
    Esql.ml_response_validation_error_count = count(*)
  by
    Esql.time_window_date_trunc,
    user.id,
    cloud.account.id

Stage 6: where

| where Esql.ml_response_validation_error_count > 3

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Esql.ml_response_validation_error_countgt
  • 3
gen_ai.response.error_codeeq
  • ValidationException

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

FieldSource
Esql.ml_response_validation_error_countSTATS Esql.ml_response_validation_error_count = count(*)
Esql.time_window_date_truncSTATS BY
user.idSTATS BY
cloud.account.idSTATS BY