-
Notifications
You must be signed in to change notification settings - Fork 191
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
6cbd488
commit be5e838
Showing
156 changed files
with
8,725 additions
and
234 deletions.
There are no files selected for viewing
116 changes: 116 additions & 0 deletions
116
...drock-detected-multiple-attempts-to-use-denied-models-by-a-single-user.asciidoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,116 @@ | ||
| [[prebuilt-rule-8-13-22-aws-bedrock-detected-multiple-attempts-to-use-denied-models-by-a-single-user]] | ||
| === AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User | ||
|
|
||
| Identifies multiple successive failed attempts to use denied model resources within AWS Bedrock. This could indicated attempts to bypass limitations of other approved models, or to force an impact on the environment by incurring exhorbitant costs. | ||
|
|
||
| *Rule type*: esql | ||
|
|
||
| *Rule indices*: None | ||
|
|
||
| *Severity*: high | ||
|
|
||
| *Risk score*: 73 | ||
|
|
||
| *Runs every*: 10m | ||
|
|
||
| *Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) | ||
|
|
||
| *Maximum alerts per execution*: 100 | ||
|
|
||
| *References*: | ||
|
|
||
| * https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html | ||
| * https://atlas.mitre.org/techniques/AML.T0015 | ||
| * https://atlas.mitre.org/techniques/AML.T0034 | ||
| * https://www.elastic.co/security-labs/elastic-advances-llm-security | ||
|
|
||
| *Tags*: | ||
|
|
||
| * Domain: LLM | ||
| * Data Source: AWS Bedrock | ||
| * Data Source: AWS S3 | ||
| * Resources: Investigation Guide | ||
| * Use Case: Policy Violation | ||
| * Mitre Atlas: T0015 | ||
| * Mitre Atlas: T0034 | ||
|
|
||
| *Version*: 3 | ||
|
|
||
| *Rule authors*: | ||
|
|
||
| * Elastic | ||
|
|
||
| *Rule license*: Elastic License v2 | ||
|
|
||
|
|
||
| ==== Investigation guide | ||
|
|
||
|
|
||
|
|
||
| *Triage and analysis* | ||
|
|
||
|
|
||
|
|
||
| *Investigating Attempt to use Denied Amazon Bedrock Models.* | ||
|
|
||
|
|
||
| Amazon Bedrock is AWS’s managed service that enables developers to build and scale generative AI applications using large foundation models (FMs) from top providers. | ||
|
|
||
| Bedrock offers a variety of pretrained models from Amazon (such as the Titan series), as well as models from providers like Anthropic, Meta, Cohere, and AI21 Labs. | ||
|
|
||
|
|
||
| *Possible investigation steps* | ||
|
|
||
|
|
||
| - Identify the user account that attempted to use denied models. | ||
| - Investigate other alerts associated with the user account during the past 48 hours. | ||
| - Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day? | ||
| - Examine the account's attempts to access Amazon Bedrock models in the last 24 hours. | ||
| - If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours. | ||
|
|
||
|
|
||
| *False positive analysis* | ||
|
|
||
|
|
||
| - Verify the user account that attempted to use denied models, is a legitimate misunderstanding by users or overly strict policies. | ||
|
|
||
|
|
||
| *Response and remediation* | ||
|
|
||
|
|
||
| - Initiate the incident response process based on the outcome of the triage. | ||
| - Disable or limit the account during the investigation and response. | ||
| - Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: | ||
| - Identify the account role in the cloud environment. | ||
| - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services. | ||
| - Identify any regulatory or legal ramifications related to this activity. | ||
| - Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed. | ||
| - Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. | ||
| - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). | ||
|
|
||
|
|
||
| ==== Setup | ||
|
|
||
|
|
||
|
|
||
| *Setup* | ||
|
|
||
|
|
||
| This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation: | ||
|
|
||
| https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html | ||
|
|
||
|
|
||
| ==== Rule query | ||
|
|
||
|
|
||
| [source, js] | ||
| ---------------------------------- | ||
| from logs-aws_bedrock.invocation-* | ||
| | where gen_ai.response.error_code == "AccessDeniedException" | ||
| | keep user.id, gen_ai.request.model.id, cloud.account.id, gen_ai.response.error_code | ||
| | stats total_denials = count(*) by user.id, gen_ai.request.model.id, cloud.account.id | ||
| | where total_denials > 3 | ||
| | sort total_denials desc | ||
| ---------------------------------- |
120 changes: 120 additions & 0 deletions
120
...bedrock-detected-multiple-validation-exception-errors-by-a-single-user.asciidoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,120 @@ | ||
| [[prebuilt-rule-8-13-22-aws-bedrock-detected-multiple-validation-exception-errors-by-a-single-user]] | ||
| === AWS Bedrock Detected Multiple Validation Exception Errors by a Single User | ||
|
|
||
| Identifies multiple validation exeception errors within AWS Bedrock. Validation errors occur when you run the InvokeModel or InvokeModelWithResponseStream APIs on a foundation model that uses an incorrect inference parameter or corresponding value. These errors also occur when you use an inference parameter for one model with a model that doesn't have the same API parameter. This could indicate attempts to bypass limitations of other approved models, or to force an impact on the environment by incurring exhorbitant costs. | ||
|
|
||
| *Rule type*: esql | ||
|
|
||
| *Rule indices*: None | ||
|
|
||
| *Severity*: high | ||
|
|
||
| *Risk score*: 73 | ||
|
|
||
| *Runs every*: 10m | ||
|
|
||
| *Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) | ||
|
|
||
| *Maximum alerts per execution*: 100 | ||
|
|
||
| *References*: | ||
|
|
||
| * https://atlas.mitre.org/techniques/AML.T0015 | ||
| * https://atlas.mitre.org/techniques/AML.T0034 | ||
| * https://atlas.mitre.org/techniques/AML.T0046 | ||
| * https://www.elastic.co/security-labs/elastic-advances-llm-security | ||
|
|
||
| *Tags*: | ||
|
|
||
| * Domain: LLM | ||
| * Data Source: AWS | ||
| * Data Source: AWS Bedrock | ||
| * Data Source: AWS S3 | ||
| * Use Case: Policy Violation | ||
| * Mitre Atlas: T0015 | ||
| * Mitre Atlas: T0034 | ||
| * Mitre Atlas: T0046 | ||
|
|
||
| *Version*: 3 | ||
|
|
||
| *Rule authors*: | ||
|
|
||
| * Elastic | ||
|
|
||
| *Rule license*: Elastic License v2 | ||
|
|
||
|
|
||
| ==== Investigation guide | ||
|
|
||
|
|
||
|
|
||
| *Triage and analysis* | ||
|
|
||
|
|
||
|
|
||
| *Investigating Amazon Bedrock Model Validation Exception Errors.* | ||
|
|
||
|
|
||
| Amazon Bedrock is AWS’s managed service that enables developers to build and scale generative AI applications using large foundation models (FMs) from top providers. | ||
|
|
||
| Bedrock offers a variety of pretrained models from Amazon (such as the Titan series), as well as models from providers like Anthropic, Meta, Cohere, and AI21 Labs. | ||
|
|
||
|
|
||
| *Possible investigation steps* | ||
|
|
||
|
|
||
| - Identify the user account that caused validation errors in accessing the Amazon Bedrock models. | ||
| - Investigate other alerts associated with the user account during the past 48 hours. | ||
| - Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day? | ||
| - Examine the account's attempts to access Amazon Bedrock models in the last 24 hours. | ||
| - If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours. | ||
|
|
||
|
|
||
| *False positive analysis* | ||
|
|
||
|
|
||
| - Verify the user account that that caused validation errors is a legitimate misunderstanding by users on accessing the bedrock models. | ||
|
|
||
|
|
||
| *Response and remediation* | ||
|
|
||
|
|
||
| - Initiate the incident response process based on the outcome of the triage. | ||
| - Disable or limit the account during the investigation and response. | ||
| - Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: | ||
| - Identify the account role in the cloud environment. | ||
| - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services. | ||
| - Identify any regulatory or legal ramifications related to this activity. | ||
| - Identify if any implication to resource billing. | ||
| - Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed. | ||
| - Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. | ||
| - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). | ||
|
|
||
|
|
||
| ==== Setup | ||
|
|
||
|
|
||
|
|
||
| *Setup* | ||
|
|
||
|
|
||
| This rule requires that AWS Bedrock Integration be configured. For more information, see the AWS Bedrock integration documentation: | ||
|
|
||
| https://www.elastic.co/docs/current/integrations/aws_bedrock | ||
|
|
||
|
|
||
| ==== Rule query | ||
|
|
||
|
|
||
| [source, js] | ||
| ---------------------------------- | ||
| from logs-aws_bedrock.invocation-* | ||
| // truncate the timestamp to a 1-minute window | ||
| | eval target_time_window = DATE_TRUNC(1 minutes, @timestamp) | ||
| | where gen_ai.response.error_code == "ValidationException" | ||
| | keep user.id, gen_ai.request.model.id, cloud.account.id, gen_ai.response.error_code, target_time_window | ||
| // count the number of users causing validation errors within a 1 minute window | ||
| | stats total_denials = count(*) by target_time_window, user.id, cloud.account.id | ||
| | where total_denials > 3 | ||
| ---------------------------------- |
121 changes: 121 additions & 0 deletions
121
...ls-detected-multiple-policy-violations-within-a-single-blocked-request.asciidoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,121 @@ | ||
| [[prebuilt-rule-8-13-22-aws-bedrock-guardrails-detected-multiple-policy-violations-within-a-single-blocked-request]] | ||
| === AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request | ||
|
|
||
| Identifies multiple violations of AWS Bedrock guardrails within a single request, resulting in a block action, increasing the likelihood of malicious intent. Multiple violations implies that a user may be intentionally attempting to cirvumvent security controls, access sensitive information, or possibly exploit a vulnerability in the system. | ||
|
|
||
| *Rule type*: esql | ||
|
|
||
| *Rule indices*: None | ||
|
|
||
| *Severity*: low | ||
|
|
||
| *Risk score*: 21 | ||
|
|
||
| *Runs every*: 10m | ||
|
|
||
| *Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) | ||
|
|
||
| *Maximum alerts per execution*: 100 | ||
|
|
||
| *References*: | ||
|
|
||
| * https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html | ||
| * https://atlas.mitre.org/techniques/AML.T0051 | ||
| * https://atlas.mitre.org/techniques/AML.T0054 | ||
| * https://www.elastic.co/security-labs/elastic-advances-llm-security | ||
|
|
||
| *Tags*: | ||
|
|
||
| * Domain: LLM | ||
| * Data Source: AWS Bedrock | ||
| * Data Source: AWS S3 | ||
| * Resources: Investigation Guide | ||
| * Use Case: Policy Violation | ||
| * Mitre Atlas: T0051 | ||
| * Mitre Atlas: T0054 | ||
|
|
||
| *Version*: 3 | ||
|
|
||
| *Rule authors*: | ||
|
|
||
| * Elastic | ||
|
|
||
| *Rule license*: Elastic License v2 | ||
|
|
||
|
|
||
| ==== Investigation guide | ||
|
|
||
|
|
||
|
|
||
| *Triage and analysis* | ||
|
|
||
|
|
||
|
|
||
| *Investigating Amazon Bedrock Guardrail Multiple Policy Violations Within a Single Blocked Request.* | ||
|
|
||
|
|
||
| Amazon Bedrock Guardrail is a set of features within Amazon Bedrock designed to help businesses apply robust safety and privacy controls to their generative AI applications. | ||
|
|
||
| It enables users to set guidelines and filters that manage content quality, relevancy, and adherence to responsible AI practices. | ||
|
|
||
| Through Guardrail, organizations can define "denied topics" to prevent the model from generating content on specific, undesired subjects, | ||
| and they can establish thresholds for harmful content categories, including hate speech, violence, or offensive language. | ||
|
|
||
|
|
||
| *Possible investigation steps* | ||
|
|
||
|
|
||
| - Identify the user account and the user request that caused multiple policy violations and whether it should perform this kind of action. | ||
| - Investigate the user activity that might indicate a potential brute force attack. | ||
| - Investigate other alerts associated with the user account during the past 48 hours. | ||
| - Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day? | ||
| - Examine the account's prompts and responses in the last 24 hours. | ||
| - If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours. | ||
|
|
||
|
|
||
| *False positive analysis* | ||
|
|
||
|
|
||
| - Verify the user account that caused multiple policy violations, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails. | ||
|
|
||
|
|
||
| *Response and remediation* | ||
|
|
||
|
|
||
| - Initiate the incident response process based on the outcome of the triage. | ||
| - Disable or limit the account during the investigation and response. | ||
| - Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: | ||
| - Identify the account role in the cloud environment. | ||
| - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services. | ||
| - Identify any regulatory or legal ramifications related to this activity. | ||
| - Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed. | ||
| - Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. | ||
| - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). | ||
|
|
||
|
|
||
| ==== Setup | ||
|
|
||
|
|
||
|
|
||
| *Setup* | ||
|
|
||
|
|
||
| This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation: | ||
|
|
||
| https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html | ||
|
|
||
|
|
||
| ==== Rule query | ||
|
|
||
|
|
||
| [source, js] | ||
| ---------------------------------- | ||
| from logs-aws_bedrock.invocation-* | ||
| | where gen_ai.policy.action == "BLOCKED" | ||
| | eval policy_violations = mv_count(gen_ai.policy.name) | ||
| | where policy_violations > 1 | ||
| | keep gen_ai.policy.action, policy_violations, user.id, gen_ai.request.model.id, cloud.account.id, user.id | ||
| | stats total_unique_request_violations = count(*) by policy_violations, user.id, gen_ai.request.model.id, cloud.account.id | ||
| | sort total_unique_request_violations desc | ||
| ---------------------------------- |
Oops, something went wrong.