-
Notifications
You must be signed in to change notification settings - Fork 516
/
Copy pathaws_bedrock_latency_anomalies_detection.toml
30 lines (30 loc) · 1.58 KB
/
aws_bedrock_latency_anomalies_detection.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
[hunt]
author = "Elastic"
description = """
This analytic helps identify delays in LLM responses that are outside expected performance parameters, possibly due to malicious disruptions like DDoS attacks or from operational inefficiencies.
"""
integration = ["aws_bedrock.invocation"]
uuid = "991b55c3-6327-4af6-8e0c-5d4870748369"
name = "AWS Bedrock LLM Latency Anomalies"
language = ["ES|QL"]
license = "Elastic License v2"
query = [
'''
from logs-aws_bedrock.invocation-*
| WHERE @timestamp > NOW() - 1 DAY
| EVAL response_delay_seconds = gen_ai.performance.start_response_time / 1000
| WHERE response_delay_seconds > 5
| STATS max_response_delay = max(response_delay_seconds),
request_count = count() BY gen_ai.user.id
| WHERE request_count > 3
| SORT max_response_delay DESC
'''
]
notes = [
"Review the incidents flagged by this analytic to understand the context and potential sources of latency. This can include network configurations, resource allocation, or external network pressures.",
"Effective logging and monitoring setup are essential to capture relevant latency metrics accurately. Ensure system clocks and time syncing are properly configured to avoid false positives.",
"Gather comprehensive logs that detail the request and response timestamps, user IDs, and session details for thorough investigation and evidence collection in case of security incidents."
]
mitre = ["AML.T0029"]
references = ["https://www.elastic.co/security-labs/elastic-advances-llm-security",
"https://owasp.org/www-project-top-10-for-large-language-model-applications/"]