Merge branch 'main' into add_historical_rules

Author: shashank-elastic

rules/integrations/aws_bedrock/aws_bedrock_execution_without_guardrails.toml

@@ -0,0 +1,89 @@
+[metadata]
+creation_date = "2024/11/25"
+maturity = "production"
+updated_date = "2024/11/25"
+min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully; integration in tech preview"
+min_stack_version = "8.13.0"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies multiple AWS Bedrock executions in a one minute time window without guardrails by the same user in the same account over a session. Multiple
+consecutive executions implies that a user may be intentionally attempting to bypass security controls, by not routing the requests with the desired guardrail configuration 
+in order to access sensitive information, or possibly exploit a vulnerability in the system.
+"""
+false_positives = ["Users testing new model deployments or updated compliance policies without Amazon Bedrock guardrails."]
+from = "now-60m"
+interval = "10m"
+language = "esql"
+license = "Elastic License v2"
+name = "AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session"
+references = [
+    "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html",
+    "https://atlas.mitre.org/techniques/AML.T0051",
+    "https://atlas.mitre.org/techniques/AML.T0054",
+    "https://www.elastic.co/security-labs/elastic-advances-llm-security"
+]
+risk_score = 47
+rule_id = "f2c653b7-7daf-4774-86f2-34cdbd1fc528"
+note = """## Triage and analysis
+
+### Investigating Amazon Bedrock Invocations without Guardrails Detected by a Single User Over a Session.
+
+Using Amazon Bedrock Guardrails during model invocation is critical for ensuring the safe, reliable, and ethical use of AI models. 
+Guardrails help manage risks associated with AI usage and ensure the output aligns with desired policies and standards.
+
+#### Possible investigation steps
+
+- Identify the user account that caused multiple model violations over a session without desired guardrail configuration and whether it should perform this kind of action.
+- Investigate the user activity that might indicate a potential brute force attack.
+- Investigate other alerts associated with the user account during the past 48 hours.
+- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?
+- Examine the account's prompts and responses in the last 24 hours.
+- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.
+
+### False positive analysis
+
+- Verify the user account that caused multiple policy violations by a single user over session, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Disable or limit the account during the investigation and response.
+- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
+    - Identify the account role in the cloud environment.
+    - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.
+    - Identify any regulatory or legal ramifications related to this activity.
+- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+"""
+setup = """## Setup
+
+This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:
+
+https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html
+"""
+severity = "medium"
+tags = [
+    "Domain: LLM",
+    "Data Source: AWS Bedrock",
+    "Data Source: AWS S3",
+    "Resources: Investigation Guide",
+    "Use Case: Policy Violation",
+    "Mitre Atlas: T0051",
+    "Mitre Atlas: T0054",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+from logs-aws_bedrock.invocation-*
+// create time window buckets of 1 minute
+| eval time_window = date_trunc(1 minute, @timestamp)
+| where gen_ai.guardrail_id is NULL
+| KEEP @timestamp, time_window, gen_ai.guardrail_id , user.id
+| stats model_invocation_without_guardrails = count() by user.id
+| where model_invocation_without_guardrails > 5
+| sort model_invocation_without_guardrails desc
+'''

rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml

@@ -1,44 +1,44 @@
 [metadata]
 creation_date = "2024/05/05"
 maturity = "production"
-updated_date = "2024/11/05"
+updated_date = "2024/11/21"
 min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully; integration in tech preview"
 min_stack_version = "8.13.0"
 
 [rule]
 author = ["Elastic"]
 description = """
-Detects repeated high-confidence 'BLOCKED' actions coupled with specific violation codes such as 'MISCONDUCT',
-indicating persistent misuse or attempts to probe the model's ethical boundaries.
+Detects repeated high-confidence 'BLOCKED' actions coupled with specific 'Content Filter' policy violation having codes such as 'MISCONDUCT', 
+'HATE', 'SEXUAL', INSULTS', 'PROMPT_ATTACK', 'VIOLENCE' indicating persistent misuse or attempts to probe the model's ethical boundaries.
 """
 false_positives = ["New model deployments.", "Testing updates to compliance policies."]
 from = "now-60m"
 interval = "10m"
 language = "esql"
 license = "Elastic License v2"
-name = "Unusual High Confidence Misconduct Blocks Detected"
+name = "Unusual High Confidence Content Filter Blocks Detected"
 references = [
     "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html",
     "https://atlas.mitre.org/techniques/AML.T0051",
     "https://atlas.mitre.org/techniques/AML.T0054",
     "https://www.elastic.co/security-labs/elastic-advances-llm-security"
 ]
-risk_score = 73
+risk_score = 47
 rule_id = "4f855297-c8e0-4097-9d97-d653f7e471c4"
 note = """## Triage and analysis
 
-### Investigating Amazon Bedrock Guardrail High Confidence Misconduct Blocks.
+### Investigating Amazon Bedrock Guardrail High Confidence Content Filter Blocks.
 
 Amazon Bedrock Guardrail is a set of features within Amazon Bedrock designed to help businesses apply robust safety and privacy controls to their generative AI applications.
 
 It enables users to set guidelines and filters that manage content quality, relevancy, and adherence to responsible AI practices.
 
-Through Guardrail, organizations can define "denied topics" to prevent the model from generating content on specific, undesired subjects,
-and they can establish thresholds for harmful content categories, including hate speech, violence, or offensive language.
+Through Guardrail, organizations can enable Content filter for Hate, Insults, Sexual Violence and Misconduct along with Prompt Attack filters prompts 
+to prevent the model from generating content on specific, undesired subjects, and they can establish thresholds for harmful content categories.
 
 #### Possible investigation steps
 
-- Identify the user account that queried denied topics and whether it should perform this kind of action.
+- Identify the user account whose prompts caused high confidence content filter blocks and whether it should perform this kind of action.
 - Investigate other alerts associated with the user account during the past 48 hours.
 - Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?
 - Examine the account's prompts and responses in the last 24 hours.
@@ -66,7 +66,7 @@ This rule requires that guardrails are configured in AWS Bedrock. For more infor
 
 https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html
 """
-severity = "high"
+severity = "medium"
 tags = [
     "Domain: LLM",
     "Data Source: AWS Bedrock",
@@ -82,9 +82,13 @@ query = '''
 from logs-aws_bedrock.invocation-*
 | MV_EXPAND gen_ai.compliance.violation_code
 | MV_EXPAND gen_ai.policy.confidence
-| where gen_ai.policy.action == "BLOCKED" and gen_ai.policy.confidence LIKE "HIGH" and gen_ai.compliance.violation_code LIKE "MISCONDUCT"
-| keep user.id
-| stats high_confidence_blocks = count() by user.id
-| where high_confidence_blocks > 5
-| sort high_confidence_blocks desc
+| MV_EXPAND gen_ai.policy.name 
+| where gen_ai.policy.action == "BLOCKED" and gen_ai.policy.name == "content_policy" and gen_ai.policy.confidence LIKE "HIGH" and gen_ai.compliance.violation_code IN ("HATE", "MISCONDUCT", "SEXUAL", "INSULTS", "PROMPT_ATTACK", "VIOLENCE")
+| keep user.id, gen_ai.compliance.violation_code
+| stats block_count_per_violation = count() by user.id, gen_ai.compliance.violation_code 
+| SORT block_count_per_violation DESC 
+| keep user.id, gen_ai.compliance.violation_code, block_count_per_violation
+| STATS violation_count = SUM(block_count_per_violation) by user.id
+| WHERE violation_count > 5 
+| SORT violation_count DESC 
 '''

rules/integrations/aws_bedrock/aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml

@@ -0,0 +1,89 @@
+[metadata]
+creation_date = "2024/11/20"
+maturity = "production"
+updated_date = "2024/11/20"
+min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully; integration in tech preview"
+min_stack_version = "8.13.0"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects repeated compliance violation 'BLOCKED' actions coupled with specific policy name such as 'sensitive_information_policy',
+indicating persistent misuse or attempts to probe the model's denied topics.
+"""
+false_positives = ["New model deployments.", "Testing updates to compliance policies."]
+from = "now-60m"
+interval = "10m"
+language = "esql"
+license = "Elastic License v2"
+name = "Unusual High Denied Sensitive Information Policy Blocks Detected"
+references = [
+    "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html",
+    "https://atlas.mitre.org/techniques/AML.T0051",
+    "https://atlas.mitre.org/techniques/AML.T0054",
+    "https://www.elastic.co/security-labs/elastic-advances-llm-security"
+]
+risk_score = 47
+rule_id = "0e1af929-42ed-4262-a846-55a7c54e7c84"
+note = """## Triage and analysis
+
+### Investigating Amazon Bedrock Guardrail High Sensitive Information Policy Blocks.
+
+Amazon Bedrock Guardrail is a set of features within Amazon Bedrock designed to help businesses apply robust safety and privacy controls to their generative AI applications.
+
+It enables users to set guidelines and filters that manage content quality, relevancy, and adherence to responsible AI practices.
+
+Through Guardrail, organizations can define "sensitive information filters" to prevent the model from generating content on specific, undesired subjects,
+and they can establish thresholds for harmful content categories.
+
+#### Possible investigation steps
+
+- Identify the user account that queried sensitive information and whether it should perform this kind of action.
+- Investigate other alerts associated with the user account during the past 48 hours.
+- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?
+- Examine the account's prompts and responses in the last 24 hours.
+- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.
+
+### False positive analysis
+
+- Verify the user account that queried denied topics, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Disable or limit the account during the investigation and response.
+- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
+    - Identify the account role in the cloud environment.
+    - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.
+    - Identify any regulatory or legal ramifications related to this activity.
+- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+"""
+setup = """## Setup
+
+This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:
+
+https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html
+"""
+severity = "medium"
+tags = [
+    "Domain: LLM",
+    "Data Source: AWS Bedrock",
+    "Data Source: AWS S3",
+    "Use Case: Policy Violation",
+    "Mitre Atlas: T0051",
+    "Mitre Atlas: T0054",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+from logs-aws_bedrock.invocation-*
+| MV_EXPAND gen_ai.policy.name 
+| where gen_ai.policy.action == "BLOCKED" and gen_ai.compliance.violation_detected == "true" and gen_ai.policy.name == "sensitive_information_policy"
+| keep user.id
+| stats sensitive_information_block = count() by user.id
+| where sensitive_information_block > 5
+| sort sensitive_information_block desc
+'''

rules/integrations/aws_bedrock/aws_bedrock_multiple_topic_policy_blocks_detected.toml

@@ -0,0 +1,89 @@
+[metadata]
+creation_date = "2024/11/20"
+maturity = "production"
+updated_date = "2024/11/20"
+min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully; integration in tech preview"
+min_stack_version = "8.13.0"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects repeated compliance violation 'BLOCKED' actions coupled with specific policy name such as 'topic_policy',
+indicating persistent misuse or attempts to probe the model's denied topics.
+"""
+false_positives = ["New model deployments.", "Testing updates to compliance policies."]
+from = "now-60m"
+interval = "10m"
+language = "esql"
+license = "Elastic License v2"
+name = "Unusual High Denied Topic Blocks Detected"
+references = [
+    "https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html",
+    "https://atlas.mitre.org/techniques/AML.T0051",
+    "https://atlas.mitre.org/techniques/AML.T0054",
+    "https://www.elastic.co/security-labs/elastic-advances-llm-security"
+]
+risk_score = 47
+rule_id = "266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73"
+note = """## Triage and analysis
+
+### Investigating Amazon Bedrock Guardrail High Denied Topic Blocks.
+
+Amazon Bedrock Guardrail is a set of features within Amazon Bedrock designed to help businesses apply robust safety and privacy controls to their generative AI applications.
+
+It enables users to set guidelines and filters that manage content quality, relevancy, and adherence to responsible AI practices.
+
+Through Guardrail, organizations can define "denied topics" to prevent the model from generating content on specific, undesired subjects,
+and they can establish thresholds for harmful content categories, including hate speech, violence, or offensive language.
+
+#### Possible investigation steps
+
+- Identify the user account that queried denied topics and whether it should perform this kind of action.
+- Investigate other alerts associated with the user account during the past 48 hours.
+- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?
+- Examine the account's prompts and responses in the last 24 hours.
+- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.
+
+### False positive analysis
+
+- Verify the user account that queried denied topics, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Disable or limit the account during the investigation and response.
+- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
+    - Identify the account role in the cloud environment.
+    - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.
+    - Identify any regulatory or legal ramifications related to this activity.
+- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+"""
+setup = """## Setup
+
+This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:
+
+https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html
+"""
+severity = "medium"
+tags = [
+    "Domain: LLM",
+    "Data Source: AWS Bedrock",
+    "Data Source: AWS S3",
+    "Use Case: Policy Violation",
+    "Mitre Atlas: T0051",
+    "Mitre Atlas: T0054",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+from logs-aws_bedrock.invocation-*
+| MV_EXPAND gen_ai.policy.name 
+| where gen_ai.policy.action == "BLOCKED" and gen_ai.compliance.violation_detected == "true" and gen_ai.policy.name == "topic_policy"
+| keep user.id
+| stats denied_topics = count() by user.id
+| where denied_topics > 5
+| sort denied_topics desc
+'''