[New Rule] AWS Bedrock Agent Credential Exfiltration Pattern in Invocation Content#6336
Open
eeee2345 wants to merge 1 commit into
Open
Conversation
Behavioral ES|QL detection over aws_bedrock invocation telemetry that keys off the structural credential-exfiltration targets in an agent's request content (cloud instance metadata endpoint, SSH and AWS credential stores, well-known secret token formats) rather than a single literal phrase. Aggregates per caller and account in a one-minute window and fires on three or more distinct credential targets to keep false positives low. Maps to MITRE ATT&CK T1552 and ATLAS T0098/T0086/T0055. Seed rule for elastic#6126.
|
💚 CLA has been signed |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves part of #6126. As discussed there, this is one behavioral ES|QL seed rule, not a content/phrase match.
What it does
Flags AWS Bedrock invocations whose request content references three or more distinct credential-exfiltration targets for the same caller and account within a one-minute window. Targets are fixed infrastructure: the cloud instance metadata endpoint, the SSH and AWS credential stores, and well-known secret token formats. The rule keys off the structural targets of the agent's tool-call and message traffic rather than a single literal phrase, so rephrasing a prompt does not bypass it. The 3-distinct-target threshold suppresses incidental one-off mentions.
Data source
aws_bedrock integration, invocation data stream (logs-aws_bedrock.invocation-*). Fields used (gen_ai.prompt, gen_ai.completion, user.id, cloud.account.id) are verified against the integration fields manifest. There is no aws_bedrock_agentcore or provider-neutral LLM integration in this repo today, so this targets the closest existing GenAI integration, consistent with the existing aws_bedrock LLM rules.
Maturity
Shipped at maturity = development for review. I have not been able to run remote ES|QL validation against a live stack, so I would value a maintainer running that and sanity-checking field and column types before this moves toward production. Threshold and window are starting points to tune against real volume.
Frameworks
MITRE ATT&CK T1552 (with sub-techniques .001 and .005) in the threat block. MITRE ATLAS T0098/T0086/T0055 in tags and references, per the thread.
Validation
detection_rules test passes locally (232 passed, 19 remote-only skipped). toml-lint clean.
CLA: I will sign the Elastic CLA.