[Tuning] Add mv_expand for gen_ai.policy.action field

Resolves #5202
Resolves #5203
Resolves #5204

The gen_ai.policy.action field is an array, so an additional mv_expand
is necessary for the rules to work correctly with AWS Bedrock integration
events that contain multiple policy actions.

Updated rules:
- Unusual High Word Policy Blocks Detected
- Unusual High Denied Topic Blocks Detected
- Unusual High Denied Sensitive Information Policy Blocks Detected

Author: Mikaayenson

rules/integrations/aws_bedrock/aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/11/20"
 integration = ["aws_bedrock"]
 maturity = "production"
-updated_date = "2025/09/25"
+updated_date = "2025/11/10"
 
 [rule]
 author = ["Elastic"]
@@ -83,6 +83,7 @@ from logs-aws_bedrock.invocation-*
 
 // Expand multi-valued policy name field
 | mv_expand gen_ai.policy.name
+| mv_expand gen_ai.policy.action
 
 // Filter for blocked actions related to sensitive info policy
 | where

rules/integrations/aws_bedrock/aws_bedrock_multiple_topic_policy_blocks_detected.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/11/20"
 integration = ["aws_bedrock"]
 maturity = "production"
-updated_date = "2025/09/25"
+updated_date = "2025/11/10"
 
 [rule]
 author = ["Elastic"]
@@ -83,6 +83,7 @@ from logs-aws_bedrock.invocation-*
 
 // Expand multi-value policy name field
 | mv_expand gen_ai.policy.name
+| mv_expand gen_ai.policy.action
 
 // Filter for blocked topic policy violations
 | where

rules/integrations/aws_bedrock/aws_bedrock_multiple_word_policy_blocks_detected.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/11/20"
 integration = ["aws_bedrock"]
 maturity = "production"
-updated_date = "2025/09/25"
+updated_date = "2025/11/10"
 
 [rule]
 author = ["Elastic"]
@@ -83,6 +83,7 @@ from logs-aws_bedrock.invocation-*
 
 // Expand multivalued policy names
 | mv_expand gen_ai.policy.name
+| mv_expand gen_ai.policy.action
 
 // Filter for blocked profanity-related policy violations
 | where