[Hunt Tuning] Add Descriptions, Collapse Queries and Re-Generate Docs (…

…#3791)

* add description to hunting schema; change queries to be a list

* update createremotethreat by process hunt

* update dll hijack and masquerading as MSFT library

* remove sysmon specific dDLL hijack via masquerading MSFT library

* updated Masquerading Attempts as Native Windows Binaries

* updates Rare DLL Side-Loading by Occurrence

* updates Rare LSASS Process Access Attempts

* update DNS Queries via LOLBins with Low Occurence Frequency

* updated Low Occurrence of Drivers Loaded on Unique Hosts

* updates Excessive RDP Network Activity by Host and User

* updates Excessive SMB Network Activity by Process ID

* updated Executable File Creation by an Unusual Microsoft Binary

* Frequency of Process Execution and Network Logon by Source Address

* updates Frequency of Process Execution and Network Logon by Source Address

* updated Execution via Remote Services by Client Address

* updated Startup Execution with Low Occurrence Frequency by Unique Host

* updated Low Frequency of Process Execution via WMI by Unique Agent

* updated Low Frequency of Process Execution via Windows Scheduled Task by Unique Agent

* updated Low Occurence of Process Execution via Windows Services with Unique Agent

* Updated High Count of Network Connection Over Extended Period by Process

* update Libraries Loaded by svchost with Low Occurrence Frequency

* updated Microsoft Office Child Processes with Low Occurrence Frequency by Unique Agent

* updated Network Discovery via Sensitive Ports by Unusual Process

* updated PE File Transfer via SMB_Admin Shares by Agent or User

* updated Persistence via Run Key with Low Occurrence Frequency

* updates Persistence via Startup with Low Occurrence Frequency by Unique Host

* updates "Persistence via Run Key with Low Occurrence Frequency"; adjusted file names to remove data source

* updates "Low Occurrence of Suspicious Launch Agent or Launch Daemon"

* updates "Egress Network Connections with Total Bytes Greater than Threshold"

* updates "Rundll32 Execution Aggregated by Command Line"

* updates "Scheduled tasks Creation by Action via Registry"

* updates "Scheduled Tasks Creation for Unique Hosts by Task Command"

* updates "Suspicious Base64 Encoded Powershell Command"

* updates "Suspicious DNS TXT Record Lookups by Process"

* updates "Unique Windows Services Creation by Service File Name"

* Updates "Unique Windows Services Creation by Service File Name"

* updates "Windows Command and Scripting Interpreter from Unusual Parent Process"

* updates "Windows Logon Activity by Source IP"

* updates "Suspicious Network Connections by Unsigned Mach-O"

* updates LLM hunting queries

* re-generated markdown files; updated generate markdown py file

* updated test_hunt_data

* Update hunting/macos/queries/suspicious_network_connections_by_unsigned_macho.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update hunting/windows/queries/drivers_load_with_low_occurrence_frequency.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update hunting/windows/queries/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* updated missing integrations

* updated MD docs according to recent hunting changes

* Update hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update hunting/windows/queries/detect_rare_dll_sideload_by_occurrence.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update hunting/windows/queries/detect_masquerading_attempts_as_native_windows_binaries.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update hunting/llm/queries/aws_bedrock_dos_resource_exhaustion_detection.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* added enrichment policy link to rule

* Update hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.md

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/windows/docs/rundll32_execution_aggregated_by_cmdline.md

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/index.md

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/windows/docs/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.md

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/windows/queries/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 632e169)

hunting/generate_markdown.py

@@ -28,12 +28,13 @@ class Hunt:
     """Dataclass to represent a hunt."""
 
     author: str
+    description: str
     integration: list[str]
     uuid: str
     name: str
     language: str
     license: str
-    query: str
+    query: list[str]
     notes: Optional[List[str]] = field(default_factory=list)
     mitre: Optional[List[str]] = field(default_factory=list)
     references: Optional[List[str]] = field(default_factory=list)
@@ -81,11 +82,13 @@ def convert_toml_to_markdown(hunt_config: Hunt, file_path: Path) -> str:
     markdown = f"# {hunt_config.name}\n\n---\n\n"
     markdown += "## Metadata\n\n"
     markdown += f"- **Author:** {hunt_config.author}\n"
+    markdown += f"- **Description:** {hunt_config.description}\n"
     markdown += f"- **UUID:** `{hunt_config.uuid}`\n"
     markdown += f"- **Integration:** {", ".join(generate_integration_links(hunt_config.integration))}\n"
     markdown += f"- **Language:** `{hunt_config.language}`\n\n"
     markdown += "## Query\n\n"
-    markdown += f"```sql\n{hunt_config.query}```\n\n"
+    for query in hunt_config.query:
+        markdown += f"```sql\n{query}```\n\n"
 
     if hunt_config.notes:
         markdown += "## Notes\n\n" + "\n".join(f"- {note}" for note in hunt_config.notes)

hunting/index.md

@@ -3,65 +3,46 @@
 Here are the queries currently available:
 
 ## llm
-- [Denial of Service or Resource Exhaustion Attacks Detection](./llm/docs/llm_dos_resource_exhaustion_detection.md) (ES|QL)
-- [Monitoring for Latency Anomalies](./llm/docs/llm_latency_anomalies_detection.md) (ES|QL)
-- [Sensitive Content Refusal Detection](./llm/docs/llm_sensitive_content_refusal_detection.md) (ES|QL)
+- [AWS Bedrock LLM Denial-of-Service or Resource Exhaustion](./llm/docs/aws_bedrock_dos_resource_exhaustion_detection.md) (ES|QL)
+- [AWS Bedrock LLM Latency Anomalies](./llm/docs/aws_bedrock_latency_anomalies_detection.md) (ES|QL)
+- [AWS Bedrock LLM Sensitive Content Refusals](./llm/docs/aws_bedrock_sensitive_content_refusal_detection.md) (ES|QL)
 
 
 ## macos
 - [Suspicious Network Connections by Unsigned Mach-O](./macos/docs/suspicious_network_connections_by_unsigned_macho.md) (ES|QL)
 
 
 ## windows
-- [CreateRemoteThread by source process with low occurrence](./windows/docs/createremotethread_by_source_process_with_low_occurrence.md) (ES|QL)
-- [Detect DLL Hijack via Masquerading as Microsoft Native Libraries - Elastic Defend](./windows/docs/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries_elastic_defend.md) (ES|QL)
-- [Detect DLL Hijack via Masquerading as Microsoft Native Libraries - Sysmon](./windows/docs/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries_sysmon.md) (ES|QL)
-- [Detect masquerading attempts as native Windows binaries](./windows/docs/detect_masquerading_attempts_as_native_windows_binaries.md) (ES|QL)
-- [Detect Rare DLL SideLoad by Occurrence - Elastic Defend](./windows/docs/detect_rare_dll_sideload_by_occurrence_elastic_defend.md) (ES|QL)
-- [Detect Rare DLL SideLoad by Occurrence - Sysmon](./windows/docs/detect_rare_dll_sideload_by_occurrence_sysmon.md) (ES|QL)
-- [Detect Rare LSASS Process Access Attempts - Elastic Defend](./windows/docs/detect_rare_lsass_process_access_attempts_elastic_defend.md) (ES|QL)
-- [Detect Rare LSASS Process Access Attempts - Sysmon](./windows/docs/detect_rare_lsass_process_access_attempts_sysmon.md) (ES|QL)
-- [Doamin Names queries via Lolbins and with low occurence frequency](./windows/docs/doamin_names_queries_via_lolbins_and_with_low_occurence_frequency.md) (ES|QL)
-- [Drivers Load with low occurrence frequency - Elastic Defend](./windows/docs/drivers_load_with_low_occurrence_frequency_elastic_defend.md) (ES|QL)
-- [Drivers Load with low occurrence frequency - Sysmon](./windows/docs/drivers_load_with_low_occurrence_frequency_sysmon.md) (ES|QL)
-- [Drivers Load with low occurrence frequency - Windows 7045](./windows/docs/drivers_load_with_low_occurrence_frequency_windows_7045.md) (ES|QL)
-- [Excessive RDP Network Activity by Source Host and User- Elastic Defend - Sysmon](./windows/docs/excessive_rdp_network_activity_by_source_host_and_user-_elastic_defend_sysmon.md) (ES|QL)
-- [Excessive RDP Network Activity by Source Host - Elastic Defend - Sysmon](./windows/docs/excessive_rdp_network_activity_by_source_host_elastic_defend_sysmon.md) (ES|QL)
-- [Excessive SMB Network Activity by process Id](./windows/docs/excessive_smb_network_activity_by_process_id.md) (ES|QL)
-- [Executable File creation by an Unusual Microsoft Binary - Elastic Defend](./windows/docs/executable_file_creation_by_an_unusual_microsoft_binary_elastic_defend.md) (ES|QL)
-- [Executable File creation by an Unusual Microsoft Binary - Sysmon](./windows/docs/executable_file_creation_by_an_unusual_microsoft_binary_sysmon.md) (ES|QL)
-- [Execution via Network Logon by occurrence frequency](./windows/docs/execution_via_network_logon_by_occurrence_frequency.md) (ES|QL)
-- [Execution via Network Logon by occurrence frequency by top Source IP](./windows/docs/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.md) (ES|QL)
+- [Low Occurrence Rate of CreateRemoteThread by Source Process](./windows/docs/createremotethread_by_source_process_with_low_occurrence.md) (ES|QL)
+- [DLL Hijack via Masquerading as Microsoft Native Libraries](./windows/docs/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.md) (ES|QL)
+- [Masquerading Attempts as Native Windows Binaries](./windows/docs/detect_masquerading_attempts_as_native_windows_binaries.md) (ES|QL)
+- [Rare DLL Side-Loading by Occurrence](./windows/docs/detect_rare_dll_sideload_by_occurrence.md) (ES|QL)
+- [Rare LSASS Process Access Attempts](./windows/docs/detect_rare_lsass_process_access_attempts.md) (ES|QL)
+- [DNS Queries via LOLBins with Low Occurence Frequency](./windows/docs/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.md) (ES|QL)
+- [Low Occurrence of Drivers Loaded on Unique Hosts](./windows/docs/drivers_load_with_low_occurrence_frequency.md) (ES|QL)
+- [Excessive RDP Network Activity by Host and User](./windows/docs/excessive_rdp_network_activity_by_source_host_and_user.md) (ES|QL)
+- [Excessive SMB Network Activity by Process ID](./windows/docs/excessive_smb_network_activity_by_process_id.md) (ES|QL)
+- [Executable File Creation by an Unusual Microsoft Binary](./windows/docs/executable_file_creation_by_an_unusual_microsoft_binary.md) (ES|QL)
+- [Frequency of Process Execution via Network Logon by Source Address](./windows/docs/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.md) (ES|QL)
 - [Execution via Remote Services by Client Address](./windows/docs/execution_via_remote_services_by_client_address.md) (ES|QL)
-- [Execution via Startup with low occurrence frequency](./windows/docs/execution_via_startup_with_low_occurrence_frequency.md) (ES|QL)
-- [Execution via Windows Management Instrumentation by occurrence frequency by Unique Agent - Elastic Defend - Sysmon](./windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent_elastic_defend_sysmon.md) (ES|QL)
-- [Execution via Windows Management Instrumentation by occurrence frequency - Elastic Defend - Sysmon](./windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_elastic_defend_sysmon.md) (ES|QL)
-- [Execution via Windows Management Instrumentation by occurrence frequency - Elastic Defend - Sysmon - Windows Security](./windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_elastic_defend_sysmon_windows_security.md) (ES|QL)
-- [Execution via Windows Scheduled Task with low occurrence frequency](./windows/docs/execution_via_windows_scheduled_task_with_low_occurrence_frequency.md) (ES|QL)
-- [Execution via Windows Services with low occurrence frequency - Elastic Defend - Sysmon](./windows/docs/execution_via_windows_services_with_low_occurrence_frequency_elastic_defend_sysmon.md) (ES|QL)
-- [Execution via Windows Services with low occurrence frequency - Windows Security](./windows/docs/execution_via_windows_services_with_low_occurrence_frequency_windows_security.md) (ES|QL)
-- [High count of network connection over extended period by process - Elastic Defend Network](./windows/docs/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_network.md) (ES|QL)
-- [High count of network connection over extended period by process - Elastic Defend Network - Sysmon](./windows/docs/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_network_sysmon.md) (ES|QL)
-- [High count of network connection over extended period by process - Elastic Defend - Sysmon](./windows/docs/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_sysmon.md) (ES|QL)
-- [Libraries loaded by svchost with low occurrence frequency - Elastic Defend](./windows/docs/libraries_loaded_by_svchost_with_low_occurrence_frequency_elastic_defend.md) (ES|QL)
-- [Libraries loaded by svchost with low occurrence frequency - Sysmon](./windows/docs/libraries_loaded_by_svchost_with_low_occurrence_frequency_sysmon.md) (ES|QL)
-- [Microsoft Office Child Processes with low occurrence frequency](./windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md) (ES|QL)
-- [Network Discovery via sensitive ports by unusual process](./windows/docs/network_discovery_via_sensitive_ports_by_unusual_process.md) (ES|QL)
-- [PE File Transfer via SMB_Admin Shares by Agent](./windows/docs/pe_file_transfer_via_smb_admin_shares_by_agent.md) (ES|QL)
-- [PE File Transfer via SMB_Admin Shares by User](./windows/docs/pe_file_transfer_via_smb_admin_shares_by_user.md) (ES|QL)
-- [Persistence via Run Key with low occurrence frequency - Elastic Defend](./windows/docs/persistence_via_run_key_with_low_occurrence_frequency_elastic_defend.md) (ES|QL)
-- [Persistence via Run Key with low occurrence frequency - Sysmon](./windows/docs/persistence_via_run_key_with_low_occurrence_frequency_sysmon.md) (ES|QL)
-- [Persistence via Startup with low occurrence frequency](./windows/docs/persistence_via_startup_with_low_occurrence_frequency.md) (ES|QL)
-- [Persistence via Suspicious Launch Agent or Launch Daemon with low occurrence](./windows/docs/persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.md) (ES|QL)
-- [Potential Exfiltration by process total egress bytes](./windows/docs/potential_exfiltration_by_process_total_egress_bytes.md) (ES|QL)
-- [Rundll32 execution aggregated by cmdline](./windows/docs/rundll32_execution_aggregated_by_cmdline.md) (ES|QL)
-- [Scheduled tasks creation by action via registry](./windows/docs/scheduled_task_creation_by_action_via_registry.md) (ES|QL)
-- [Scheduled tasks creation with low occurrence frequency](./windows/docs/scheduled_tasks_creation_with_low_occurrence_frequency.md) (ES|QL)
-- [Suspicious Base64 Encoded PowerShell Command](./windows/docs/suspicious_base64_encoded_powershell_commands.md) (ES|QL)
-- [Suspicious DNS TXT Record lookups by process](./windows/docs/suspicious_dns_txt_record_lookups_by_process.md) (ES|QL)
-- [Unique Windows Services Creation by ServiceFileName - Elastic Defend Registry - Sysmon](./windows/docs/unique_windows_services_creation_by_servicefilename_elastic_defend_registry_sysmon.md) (ES|QL)
-- [Unique Windows Services Creation by ServiceFileName - Elastic Defend - Sysmon Registry](./windows/docs/unique_windows_services_creation_by_servicefilename_elastic_defend_sysmon_registry.md) (ES|QL)
-- [Unique Windows Services Creation by ServiceFileName - Windows Security 4697](./windows/docs/unique_windows_services_creation_by_servicefilename_windows_security_4697.md) (ES|QL)
-- [Unique Windows Services Creation by ServiceFileName - Windows Security 7045](./windows/docs/unique_windows_services_creation_by_servicefilename_windows_security_7045.md) (ES|QL)
-- [Windows Command and Scripting Interpreter from unusual parent](./windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md) (ES|QL)
-- [Windows logon activity by source IP](./windows/docs/windows_logon_activity_by_source_ip.md) (ES|QL)
+- [Startup Execution with Low Occurrence Frequency by Unique Host](./windows/docs/execution_via_startup_with_low_occurrence_frequency.md) (ES|QL)
+- [Low Frequency of Process Execution via WMI by Unique Agent](./windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.md) (ES|QL)
+- [Low Frequency of Process Execution via Windows Scheduled Task by Unique Agent](./windows/docs/execution_via_windows_scheduled_task_with_low_occurrence_frequency.md) (ES|QL)
+- [Low Occurence of Process Execution via Windows Services with Unique Agent](./windows/docs/execution_via_windows_services_with_low_occurrence_frequency.md) (ES|QL)
+- [High Count of Network Connection Over Extended Period by Process](./windows/docs/high_count_of_network_connection_over_extended_period_by_process.md) (ES|QL)
+- [Libraries Loaded by svchost with Low Occurrence Frequency](./windows/docs/libraries_loaded_by_svchost_with_low_occurrence_frequency.md) (ES|QL)
+- [Microsoft Office Child Processes with Low Occurrence Frequency by Unique Agent](./windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md) (ES|QL)
+- [Network Discovery via Sensitive Ports by Unusual Process](./windows/docs/network_discovery_via_sensitive_ports_by_unusual_process.md) (ES|QL)
+- [PE File Transfer via SMB_Admin Shares by Agent or User](./windows/docs/pe_file_transfer_via_smb_admin_shares_by_agent.md) (ES|QL)
+- [Persistence via Run Key with Low Occurrence Frequency](./windows/docs/persistence_via_run_key_with_low_occurrence_frequency.md) (ES|QL)
+- [Persistence via Startup with Low Occurrence Frequency by Unique Host](./windows/docs/persistence_via_startup_with_low_occurrence_frequency.md) (ES|QL)
+- [Low Occurrence of Suspicious Launch Agent or Launch Daemon](./windows/docs/persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.md) (ES|QL)
+- [Egress Network Connections with Total Bytes Greater than Threshold](./windows/docs/potential_exfiltration_by_process_total_egress_bytes.md) (ES|QL)
+- [Rundll32 Execution Aggregated by Command Line](./windows/docs/rundll32_execution_aggregated_by_cmdline.md) (ES|QL)
+- [Scheduled tasks Creation by Action via Registry](./windows/docs/scheduled_task_creation_by_action_via_registry.md) (ES|QL)
+- [Scheduled Tasks Creation for Unique Hosts by Task Command](./windows/docs/scheduled_tasks_creation_for_unique_hosts_by_task_command.md) (ES|QL)
+- [Suspicious Base64 Encoded Powershell Command](./windows/docs/suspicious_base64_encoded_powershell_commands.md) (ES|QL)
+- [Suspicious DNS TXT Record Lookups by Process](./windows/docs/suspicious_dns_txt_record_lookups_by_process.md) (ES|QL)
+- [Unique Windows Services Creation by Service File Name](./windows/docs/unique_windows_services_creation_by_servicefilename.md) (ES|QL)
+- [Windows Command and Scripting Interpreter from Unusual Parent Process](./windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md) (ES|QL)
+- [Windows Logon Activity by Source IP](./windows/docs/windows_logon_activity_by_source_ip.md) (ES|QL)

hunting/llm/docs/llm_dos_resource_exhaustion_detection.md → hunting/llm/docs/aws_bedrock_dos_resource_exhaustion_detection.md

@@ -1,10 +1,12 @@
-# Denial of Service or Resource Exhaustion Attacks Detection
+# AWS Bedrock LLM Denial-of-Service or Resource Exhaustion
 
 ---
 
 ## Metadata
 
 - **Author:** Elastic
+- **Description:** This hunting query identifies unusual spikes in token usage that may indicate malicious attempts to disrupt services. High token usage can strain system resources and degrade performance, aligning with tactics observed in DoS attacks.
+
 - **UUID:** `dc181967-c32c-46c9-b84b-ec4c8811c6a0`
 - **Integration:** [aws_bedrock.invocation](https://docs.elastic.co/integrations/aws_bedrock)
 - **Language:** `ES|QL`
@@ -29,7 +31,6 @@ from logs-aws_bedrock.invocation-*
 
 ## Notes
 
-- This query identifies unusual spikes in token usage that may indicate malicious attempts to disrupt services. High token usage can strain system resources and degrade performance, aligning with tactics observed in DoS attacks.
 - Consider reviewing the context of high token requests to differentiate between legitimate heavy usage and potential abuse. Monitor the source of requests and patterns over time for better assessment.
 - Ensure logging and monitoring are correctly configured to capture detailed metrics on token usage. This will facilitate accurate detection and allow for a quick response to potential threats.
 - Collect evidence from logs that detail the timestamp, user ID, session information, and token counts for incidents flagged by this analytic. This information will be crucial for forensic analysis in the event of a security incident.
@@ -40,7 +41,7 @@ from logs-aws_bedrock.invocation-*
 
 - https://www.elastic.co/security-labs/elastic-advances-llm-security
 - https://owasp.org/www-project-top-10-for-large-language-model-applications/
-- [Denial of Service or Resource Exhaustion Attacks Detection](../queries/llm_dos_resource_exhaustion_detection.toml)
+- [AWS Bedrock LLM Denial-of-Service or Resource Exhaustion](../queries/aws_bedrock_dos_resource_exhaustion_detection.toml)
 
 ## License
 

hunting/llm/docs/llm_latency_anomalies_detection.md → hunting/llm/docs/aws_bedrock_latency_anomalies_detection.md

@@ -1,10 +1,12 @@
-# Monitoring for Latency Anomalies
+# AWS Bedrock LLM Latency Anomalies
 
 ---
 
 ## Metadata
 
 - **Author:** Elastic
+- **Description:** This analytic helps identify delays in LLM responses that are outside expected performance parameters, possibly due to malicious disruptions like DDoS attacks or from operational inefficiencies.
+
 - **UUID:** `3708787b-811b-43b1-b2e7-c7276b8db48c`
 - **Integration:** [aws_bedrock.invocation](https://docs.elastic.co/integrations/aws_bedrock)
 - **Language:** `ES|QL`
@@ -24,7 +26,6 @@ from logs-aws_bedrock.invocation-*
 
 ## Notes
 
-- This analytic helps identify delays in LLM responses that are outside expected performance parameters, possibly due to malicious disruptions like DDoS attacks or from operational inefficiencies.
 - Review the incidents flagged by this analytic to understand the context and potential sources of latency. This can include network configurations, resource allocation, or external network pressures.
 - Effective logging and monitoring setup are essential to capture relevant latency metrics accurately. Ensure system clocks and time syncing are properly configured to avoid false positives.
 - Gather comprehensive logs that detail the request and response timestamps, user IDs, and session details for thorough investigation and evidence collection in case of security incidents.
@@ -35,7 +36,7 @@ from logs-aws_bedrock.invocation-*
 
 - https://www.elastic.co/security-labs/elastic-advances-llm-security
 - https://owasp.org/www-project-top-10-for-large-language-model-applications/
-- [Monitoring for Latency Anomalies](../queries/llm_latency_anomalies_detection.toml)
+- [AWS Bedrock LLM Latency Anomalies](../queries/aws_bedrock_latency_anomalies_detection.toml)
 
 ## License