[Tuning] Add mv_expand for gen_ai.policy.action field (#5296)

Mikaayenson · shashank-elastic · web-flow · commit 4e1c8f677cc8 · 2025-11-11T07:37:40.000+05:30
Resolves #5202 Resolves #5203 Resolves #5204 The gen_ai.policy.action field is an array, so an additional mv_expand is necessary for the rules to work correctly with AWS Bedrock integration events that contain multiple policy actions. Updated rules: - Unusual High Word Policy Blocks Detected - Unusual High Denied Topic Blocks Detected - Unusual High Denied Sensitive Information Policy Blocks Detected - Unusual High Confidence Content Filter Blocks Detected - AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
diff --git a/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_in_single_request.toml b/rules/integrations/aws_bedrock/aws_bedrock_guardrails_multiple_violations_in_single_request.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/05/02"
 integration = ["aws_bedrock"]
 maturity = "production"
-updated_date = "2025/09/25"
+updated_date = "2025/11/10"
 
 [rule]
 author = ["Elastic"]
@@ -83,6 +83,9 @@ type = "esql"
 query = '''
 from logs-aws_bedrock.invocation-*
 
+// Expand multi-value policy action field
+| mv_expand gen_ai.policy.action
+
 // Filter for policy-blocked requests
 | where gen_ai.policy.action == "BLOCKED"
 
diff --git a/rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml b/rules/integrations/aws_bedrock/aws_bedrock_high_confidence_misconduct_blocks_detected.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/05/05"
 integration = ["aws_bedrock"]
 maturity = "production"
-updated_date = "2025/09/25"
+updated_date = "2025/11/10"
 
 [rule]
 author = ["Elastic"]
@@ -86,6 +86,7 @@ from logs-aws_bedrock.invocation-*
 | mv_expand gen_ai.compliance.violation_code
 | mv_expand gen_ai.policy.confidence
 | mv_expand gen_ai.policy.name
+| mv_expand gen_ai.policy.action
 
 // Filter for high-confidence content policy blocks with targeted violations
 | where
diff --git a/rules/integrations/aws_bedrock/aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml b/rules/integrations/aws_bedrock/aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/11/20"
 integration = ["aws_bedrock"]
 maturity = "production"
-updated_date = "2025/09/25"
+updated_date = "2025/11/10"
 
 [rule]
 author = ["Elastic"]
@@ -83,6 +83,7 @@ from logs-aws_bedrock.invocation-*
 
 // Expand multi-valued policy name field
 | mv_expand gen_ai.policy.name
+| mv_expand gen_ai.policy.action
 
 // Filter for blocked actions related to sensitive info policy
 | where
diff --git a/rules/integrations/aws_bedrock/aws_bedrock_multiple_topic_policy_blocks_detected.toml b/rules/integrations/aws_bedrock/aws_bedrock_multiple_topic_policy_blocks_detected.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/11/20"
 integration = ["aws_bedrock"]
 maturity = "production"
-updated_date = "2025/09/25"
+updated_date = "2025/11/10"
 
 [rule]
 author = ["Elastic"]
@@ -83,6 +83,7 @@ from logs-aws_bedrock.invocation-*
 
 // Expand multi-value policy name field
 | mv_expand gen_ai.policy.name
+| mv_expand gen_ai.policy.action
 
 // Filter for blocked topic policy violations
 | where
diff --git a/rules/integrations/aws_bedrock/aws_bedrock_multiple_word_policy_blocks_detected.toml b/rules/integrations/aws_bedrock/aws_bedrock_multiple_word_policy_blocks_detected.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/11/20"
 integration = ["aws_bedrock"]
 maturity = "production"
-updated_date = "2025/09/25"
+updated_date = "2025/11/10"
 
 [rule]
 author = ["Elastic"]
@@ -83,6 +83,7 @@ from logs-aws_bedrock.invocation-*
 
 // Expand multivalued policy names
 | mv_expand gen_ai.policy.name
+| mv_expand gen_ai.policy.action
 
 // Filter for blocked profanity-related policy violations
 | where
