Skip to content

[New Rule] AWS Bedrock Agent Credential Exfiltration Pattern in Invocation Content#6336

Open
eeee2345 wants to merge 1 commit into
elastic:mainfrom
eeee2345:rule/aws-bedrock-agent-credential-exfiltration
Open

[New Rule] AWS Bedrock Agent Credential Exfiltration Pattern in Invocation Content#6336
eeee2345 wants to merge 1 commit into
elastic:mainfrom
eeee2345:rule/aws-bedrock-agent-credential-exfiltration

Conversation

@eeee2345

Copy link
Copy Markdown

Resolves part of #6126. As discussed there, this is one behavioral ES|QL seed rule, not a content/phrase match.

What it does
Flags AWS Bedrock invocations whose request content references three or more distinct credential-exfiltration targets for the same caller and account within a one-minute window. Targets are fixed infrastructure: the cloud instance metadata endpoint, the SSH and AWS credential stores, and well-known secret token formats. The rule keys off the structural targets of the agent's tool-call and message traffic rather than a single literal phrase, so rephrasing a prompt does not bypass it. The 3-distinct-target threshold suppresses incidental one-off mentions.

Data source
aws_bedrock integration, invocation data stream (logs-aws_bedrock.invocation-*). Fields used (gen_ai.prompt, gen_ai.completion, user.id, cloud.account.id) are verified against the integration fields manifest. There is no aws_bedrock_agentcore or provider-neutral LLM integration in this repo today, so this targets the closest existing GenAI integration, consistent with the existing aws_bedrock LLM rules.

Maturity
Shipped at maturity = development for review. I have not been able to run remote ES|QL validation against a live stack, so I would value a maintainer running that and sanity-checking field and column types before this moves toward production. Threshold and window are starting points to tune against real volume.

Frameworks
MITRE ATT&CK T1552 (with sub-techniques .001 and .005) in the threat block. MITRE ATLAS T0098/T0086/T0055 in tags and references, per the thread.

Validation
detection_rules test passes locally (232 passed, 19 remote-only skipped). toml-lint clean.

CLA: I will sign the Elastic CLA.

Behavioral ES|QL detection over aws_bedrock invocation telemetry that
keys off the structural credential-exfiltration targets in an agent's
request content (cloud instance metadata endpoint, SSH and AWS credential
stores, well-known secret token formats) rather than a single literal
phrase. Aggregates per caller and account in a one-minute window and
fires on three or more distinct credential targets to keep false
positives low. Maps to MITRE ATT&CK T1552 and ATLAS T0098/T0086/T0055.

Seed rule for elastic#6126.
@cla-checker-service

cla-checker-service Bot commented Jun 28, 2026

Copy link
Copy Markdown

💚 CLA has been signed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

1 participant