This threat detection rule is designed to detect unusual patterns of compliance violations, specifically focusing on actions labeled 'BLOCKED' that relate to a particular policy known as 'topic_policy' within AWS Bedrock. Such patterns may indicate persistent misuse or attempts to probe areas of the model that are specifically restricted from generating content. The rule operates by querying logs pertaining to AWS Bedrock invocations, checking for instances where the 'BLOCKED' action correlates with a detected compliance violation. A threshold is established to flag user actions that result in more than five denied topics in a 60-minute interval. This allows for the identification of potentially malicious behaviors or misconfigurations in user deployments. Potential false positives can arise from legitimate activities such as new model deployments or updates to compliance policies. The note accompanying the rule outlines a structured approach for triage and analysis, offering guidelines on how investigators can affirmatively assess whether a flagged user account is engaging in expected behavior or if it may have been compromised. Recommended investigative steps include assessing the historical actions of the flagged account, scrutinizing the timing of the events, and where necessary, limiting or disabling access during an investigation. Overall, the rule hence serves as a proactive measure to uphold compliance and enhance security within generative AI applications.