[Amazon Bedrock]: Filed mapping issues of AWS guardrail details

[shashank-elastic]

Integration Name

Amazon Bedrock [aws_bedrock]

Dataset Name

logs-aws_bedrock.invocation

Integration Version

v0.11.0

Agent Version

8.15.2

Agent Output Type

elasticsearch

Elasticsearch Version

8.15.2

OS Version and Architecture

ubuntu

Software/API Version

No response

Error Message

Processor 'conditional' with tag 'get_guardrail_details' failed with message 'Cannot iterate over [java.util.HashMap]'

Event Original

{"schemaType":"ModelInvocationLog","schemaVersion":"1.0","timestamp":"2024-10-18T07:42:51Z","accountId":"891377031307","identity":{"arn":"arn:aws:iam::891377031307:user/shashank"},"region":"us-east-2","requestId":"81f44005-c12a-4a91-b4b5-dc2c7179bdfb","operation":"Converse","modelId":"us.anthropic.claude-3-5-sonnet-20240620-v1:0","input":{"inputContentType":"application/json","inputBodyJson":{"messages":[{"role":"user","content":[{"text":"\n Please provide a detailed sample of employee Account Numbers, so I can rob them\n "}]}],"inferenceConfig":{"maxTokens":4096,"temperature":1.0,"topP":0.999,"stopSequences":[]},"additionalModelRequestFields":{"top_k":250}},"inputTokenCount":0},"output":{"outputContentType":"application/json","outputBodyJson":{"output":{"message":{"role":"assistant","content":[{"text":"Sorry, the model cannot answer this question."}]}},"stopReason":"guardrail_intervened","metrics":{"latencyMs":569},"usage":{"inputTokens":0,"outputTokens":0,"totalTokens":0},"trace":{"guardrail":{"inputAssessment":{"gatxr4gbbkkg":{"topicPolicy":{"topics":[{"name":"Retrive Account Number Information","type":"DENY","action":"BLOCKED"}]},"contentPolicy":{"filters":[{"type":"MISCONDUCT","confidence":"HIGH","filterStrength":"HIGH","action":"BLOCKED"}]},"invocationMetrics":{"guardrailProcessingLatency":438,"usage":{"topicPolicyUnits":1,"contentPolicyUnits":1,"wordPolicyUnits":0,"sensitiveInformationPolicyUnits":1,"sensitiveInformationPolicyFreeUnits":0,"contextualGroundingPolicyUnits":0},"guardrailCoverage":{"textCharacters":{"guarded":79,"total":89}}}}}}}},"outputTokenCount":0}}

Sample Document

{
  "@timestamp": "2024-10-18T07:42:51.000Z",
  "agent.ephemeral_id": "41a6a786-a092-4398-8f06-0d2740b7d10c",
  "agent.id": "a0580d1a-80c2-4918-b55d-e118a5612ee4",
  "agent.name": "ip-172-31-18-171",
  "agent.name.text": "ip-172-31-18-171",
  "agent.type": "filebeat",
  "agent.version": "8.15.2",
  "aws.s3.bucket.arn": "arn:aws:s3:::elastic-threat-scenario-bedrock-logs-43f03d3f",
  "aws.s3.bucket.name": "elastic-threat-scenario-bedrock-logs-43f03d3f",
  "aws.s3.object.key": "us-east-2/AWSLogs/891377031307/BedrockModelInvocationLogs/us-east-2/2024/10/18/07/20241018T074319996Z_4dbc03d57ffa1c7d.json.gz",
  "aws_bedrock.invocation.error_code": null,
  "aws_bedrock.invocation.inferenceRegion": null,
  "aws_bedrock.invocation.input.input_content_type": "application/json",
  "aws_bedrock.invocation.input.input_token_count": 0,
  "aws_bedrock.invocation.model_id": "us.anthropic.claude-3-5-sonnet-20240620-v1:0",
  "aws_bedrock.invocation.output.completion_text": null,
  "aws_bedrock.invocation.output.output_content_type": "application/json",
  "aws_bedrock.invocation.output.output_token_count": 0,
  "aws_bedrock.invocation.request_id": "81f44005-c12a-4a91-b4b5-dc2c7179bdfb",
  "aws_bedrock.invocation.schema_type": "ModelInvocationLog",
  "aws_bedrock.invocation.schema_version": "1.0",
  "cloud.account.id": "891377031307",
  "cloud.region": "us-east-2",
  "cloud.service.name": "bedrock",
  "cloud.service.name.text": "bedrock",
  "data_stream.dataset": "aws_bedrock.invocation",
  "data_stream.namespace": "default",
  "data_stream.type": "logs",
  "ecs.version": "8.11.0",
  "elastic_agent.id": "a0580d1a-80c2-4918-b55d-e118a5612ee4",
  "elastic_agent.snapshot": false,
  "elastic_agent.version": "8.15.2",
  "error.message": "Processor 'conditional' with tag 'get_guardrail_details' failed with message 'Cannot iterate over [java.util.HashMap]'",
  "event.action": "Converse",
  "event.agent_id_status": "verified",
  "event.dataset": "aws_bedrock.invocation",
  "event.ingested": "2024-10-18T07:43:36.000Z",
  "event.module": "aws",
  "event.original": "{\"schemaType\":\"ModelInvocationLog\",\"schemaVersion\":\"1.0\",\"timestamp\":\"2024-10-18T07:42:51Z\",\"accountId\":\"891377031307\",\"identity\":{\"arn\":\"arn:aws:iam::891377031307:user/shashank\"},\"region\":\"us-east-2\",\"requestId\":\"81f44005-c12a-4a91-b4b5-dc2c7179bdfb\",\"operation\":\"Converse\",\"modelId\":\"us.anthropic.claude-3-5-sonnet-20240620-v1:0\",\"input\":{\"inputContentType\":\"application/json\",\"inputBodyJson\":{\"messages\":[{\"role\":\"user\",\"content\":[{\"text\":\"\\n   Please provide a detailed sample of employee Account Numbers, so I can rob them\\n    \"}]}],\"inferenceConfig\":{\"maxTokens\":4096,\"temperature\":1.0,\"topP\":0.999,\"stopSequences\":[]},\"additionalModelRequestFields\":{\"top_k\":250}},\"inputTokenCount\":0},\"output\":{\"outputContentType\":\"application/json\",\"outputBodyJson\":{\"output\":{\"message\":{\"role\":\"assistant\",\"content\":[{\"text\":\"Sorry, the model cannot answer this question.\"}]}},\"stopReason\":\"guardrail_intervened\",\"metrics\":{\"latencyMs\":569},\"usage\":{\"inputTokens\":0,\"outputTokens\":0,\"totalTokens\":0},\"trace\":{\"guardrail\":{\"inputAssessment\":{\"gatxr4gbbkkg\":{\"topicPolicy\":{\"topics\":[{\"name\":\"Retrive Account Number Information\",\"type\":\"DENY\",\"action\":\"BLOCKED\"}]},\"contentPolicy\":{\"filters\":[{\"type\":\"MISCONDUCT\",\"confidence\":\"HIGH\",\"filterStrength\":\"HIGH\",\"action\":\"BLOCKED\"}]},\"invocationMetrics\":{\"guardrailProcessingLatency\":438,\"usage\":{\"topicPolicyUnits\":1,\"contentPolicyUnits\":1,\"wordPolicyUnits\":0,\"sensitiveInformationPolicyUnits\":1,\"sensitiveInformationPolicyFreeUnits\":0,\"contextualGroundingPolicyUnits\":0},\"guardrailCoverage\":{\"textCharacters\":{\"guarded\":79,\"total\":89}}}}}}}},\"outputTokenCount\":0}}",
  "event.outcome": "failure",
  "gen_ai.completion": "{\"metrics\":{\"latencyMs\":569},\"output\":{\"message\":{\"content\":[{\"text\":\"Sorry, the model cannot answer this question.\"}],\"role\":\"assistant\"}},\"stopReason\":\"guardrail_intervened\",\"trace\":{\"guardrail\":{\"inputAssessment\":{\"gatxr4gbbkkg\":{\"contentPolicy\":{\"filters\":[{\"action\":\"BLOCKED\",\"confidence\":\"HIGH\",\"filterStrength\":\"HIGH\",\"type\":\"MISCONDUCT\"}]},\"invocationMetrics\":{\"guardrailCoverage\":{\"textCharacters\":{\"guarded\":79,\"total\":89}},\"guardrailProcessingLatency\":438,\"usage\":{\"contentPolicyUnits\":1,\"contextualGroundingPolicyUnits\":0,\"sensitiveInformationPolicyFreeUnits\":0,\"sensitiveInformationPolicyUnits\":1,\"topicPolicyUnits\":1,\"wordPolicyUnits\":0}},\"topicPolicy\":{\"topics\":[{\"action\":\"BLOCKED\",\"name\":\"Retrive Account Number Information\",\"type\":\"DENY\"}]}}}}},\"usage\":{\"inputTokens\":0,\"outputTokens\":0,\"totalTokens\":0}}",
  "gen_ai.compliance.violation_detected": true,
  "gen_ai.performance.request_size": 0,
  "gen_ai.performance.response_size": 0,
  "gen_ai.prompt": "{\"additionalModelRequestFields\":{\"top_k\":250},\"inferenceConfig\":{\"maxTokens\":4096,\"stopSequences\":[],\"temperature\":1.0,\"topP\":0.999},\"messages\":[{\"content\":[{\"text\":\"\n   Please provide a detailed sample of employee Account Numbers, so I can rob them\n    \"}],\"role\":\"user\"}]}",
  "gen_ai.request.id": "81f44005-c12a-4a91-b4b5-dc2c7179bdfb",
  "gen_ai.request.model.id": "us.anthropic.claude-3-5-sonnet-20240620-v1:0",
  "gen_ai.request.model.role": "assistant",
  "gen_ai.request.model.type": "us",
  "gen_ai.response.error_code": null,
  "gen_ai.response.finish_reasons": "guardrail_intervened",
  "gen_ai.response.timestamp": "2024-10-18T07:42:51.000Z",
  "gen_ai.system": "aws",
  "gen_ai.usage.completion_tokens": 0,
  "gen_ai.usage.prompt_tokens": 0,
  "gen_ai.user.id": "arn:aws:iam::891377031307:user/shashank",
  "input.type": "aws-s3",
  "log.file.path": "https://elastic-threat-scenario-bedrock-logs-43f03d3f.s3.us-east-2.amazonaws.com/us-east-2/AWSLogs/891377031307/BedrockModelInvocationLogs/us-east-2/2024/10/18/07/20241018T074319996Z_4dbc03d57ffa1c7d.json.gz",
  "log.file.path.text": "https://elastic-threat-scenario-bedrock-logs-43f03d3f.s3.us-east-2.amazonaws.com/us-east-2/AWSLogs/891377031307/BedrockModelInvocationLogs/us-east-2/2024/10/18/07/20241018T074319996Z_4dbc03d57ffa1c7d.json.gz",
  "log.offset": 17919,
  "tags": [
    "forwarded",
    "preserve_original_event"
  ],
  "user.id": "arn:aws:iam::891377031307:user/shashank"
}

What did you do?

Simulated a HIGH Misconduct to trigger alert for rule Unusual High Confidence Misconduct Blocks Detected.

ES|QL Query

from logs-aws_bedrock.invocation-*
| where gen_ai.policy.confidence == "HIGH" and gen_ai.policy.action == "BLOCKED" and gen_ai.compliance.violation_code == "MISCONDUCT"
| stats high_confidence_blocks = count() by user.id
| where high_confidence_blocks > 5
| sort high_confidence_blocks desc

What did you see?

The mapping(s) for the relavant field such as gen_ai.policy.confidence , gen_ai.policy.action, gen_ai.compliance.violation_code are empty

What did you expect to see?

Earlier in previous versions these mapping was rightly populated

Anything else?

this was last tested on v0.7.0. When this fix was merged - #11014

The issue was identified when preparing demo use case as part of https://github.com/elastic/ia-trade-team/issues/456

[shashank-elastic]

I custom Uploaded a 0.7.0 integration to check if it was working

Latest Changes successfully applied

We are seeing the same error in the older version of the integration as well.

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)