Rules: Outlier in AWS Bedrock Foundation Model Enumeration Calls from User
An outlier in the number of Foundation Model Enumeration API Calls from a user within an hour time period was observed. These events may be part of normal Bedrock operations or may be indicative of enumeration/discovery attempts. Observe the username, role, user agent and source IP to confirm whether this activity is expected. If this signal is triggering frequently, consider excluding certain authorized users via tuning expression.
| Detail | Value |
|---|---|
| Type | Outlier |
| Category | Discovery |
| Apply Risk to Entities | user_username |
| Signal Name | Outlier in AWS Bedrock Foundation Model Enumeration Calls from User: {{user_username}} |
| Summary Expression | Outlier in AWS Bedrock Foundation Model Enumeration Calls from User: {{user_username}} |
| Retention Window | 3024000000 |
| Baseline Window | 2592000000 |
| Standard Deviation Threshold | 1 |
| Floor Value | 5 |
| Score/Severity | Static: 1 |
| Enabled by Default | True |
| Prototype | False |
| Tags | _mitreAttackTechnique:T1526, _mitreAttackTactic:TA0007 |
| Origin | Field |
|---|---|
| Normalized Schema | application |
| Normalized Schema | metadata_product |
| Normalized Schema | metadata_vendor |
| Normalized Schema | user_username |