This detection rule aims to identify unusual patterns where certain users repeatedly encounter compliance violations related to a specific policy, notably 'sensitive_information_policy'. This policy signifies attempts to probe or misuse a model's denial of sensitive topics within Amazon Bedrock's generative AI applications. The rule operates in the ESQL language and analyzes logs from AWS Bedrock, focusing on actions marked as 'BLOCKED' when a sensitive information policy is invoked. A higher than usual number of such blocked actions from a user (over five instances in the last hour) triggers alerts, which could indicate potential abuse or probing behavior. The rule includes detailed triage and investigation steps, with an emphasis on understanding user activity, potential account compromises, and adherence to compliance according to established guardrails within Amazon Bedrock. False positives can arise from legitimate scenarios such as new model deployments or updates to compliance policies. Thus, while the risk score is moderate (47), careful analysis of the context is essential for effective incident response.