| ID | Technique | Tactic |
|---|---|---|
| T1055 | Process Injection | Privilege Escalation |
Detection: AWS Bedrock Claude Sensitive Data in Prompts
Description
This detection identifies sensitive data such as social security numbers, passwords, API keys, and credit card numbers being sent in prompts to AWS Bedrock Claude models. Exposure of sensitive data through AI prompts may indicate data loss, credential leakage, or insider threat activity.
Search
1`aws_bedrock_claude`
2
3| rename "identity.arn" AS user_arn, "input.inputBodyJson.messages{}.content{}.text" AS prompt_mv, "accountId" AS account_id
4
5| eval prompt_text = mvjoin(prompt_mv, "
6|
7| ")
8
9| where isnotnull(prompt_text) AND isnotnull(user_arn)
10
11| rex field=user_arn "(?:assumed-role/[^/]+
12|user)/(?<user>[^\"/]+)$"
13
14| where match(prompt_text,"\b(AKIA
15|ASIA
16|AROA)[0-9A-Z]{16}\b
17|gh[pousr]_[A-Za-z0-9]{36}
18|xox[bpars]-[0-9A-Za-z-]{10,72}
19|sk_live_[0-9A-Za-z]{24,}
20|sk-(ant-)?[A-Za-z0-9-]{20,}
21|AIza[0-9A-Za-z_-]{35}
22|-----BEGIN[ A-Z]*PRIVATE KEY-----")
23OR match(prompt_text,"(?i)\b(pass(word
24|wd)?
25|pwd
26|secret[_-]?key
27|access[_-]?key
28|api[_-]?key
29|private[_-]?key)\b\s*[:=]\s*[^\s\"']{6,}")
30OR match(prompt_text,"(?i)\bbearer\s+[A-Za-z0-9._-]{20,}")
31OR match(prompt_text,"(?i)\b(ssn
32|social\s*security)\b.{0,20}\d{3}-\d{2}-\d{4}")
33OR match(prompt_text,"\b(?!000
34|666
35|9\d\d)\d{3}-(?!00)\d{2}-(?!0000)\d{4}\b")
36OR match(prompt_text,"\b(4\d{3}
37|5[1-5]\d{2}
38|6011)(?:[ -]?\d{4}){3}\b
39|\b3[47]\d{2}[ -]?\d{6}[ -]?\d{5}\b")
40
41| table _time, user, user_arn, account_id, modelId, prompt_text, host
42
43| sort - _time
44
45| `aws_bedrock_claude_sensitive_data_in_prompts_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| AWS Bedrock Claude | 'json_no_timestamp' |
'aws_bedrock' |
Macros Used
| Name | Value |
|---|---|
| aws_bedrock_claude | (sourcetype="json_no_timestamp") |
| aws_bedrock_claude_sensitive_data_in_prompts_filter | search * |
aws_bedrock_claude_sensitive_data_in_prompts_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Finding (Notable) | No |
| Creates Intermediate Finding (Risk Event) | Yes |
Implementation
You must install and configure the Splunk Add-on for AWS (https://splunkbase.splunk.com/app/1876). Enable Amazon Bedrock model invocation logging in AWS so that Claude request/response payloads are delivered to S3 and/or CloudWatch Logs (see https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html for setup steps), then ingest those logs into Splunk via the AWS TA. Configure the aws_bedrock_claude macro to point to the index and sourcetype (json_no_timestamp) where these logs land.
Known False Positives
Some false positives may arise from legitimate user interactions with the AI model that contain sensitive data for testing or demonstration purposes. It is important to review the context of the detected prompts to determine if they represent actual sensitive data exposure or benign usage.
Associated Analytic Story
Intermediate Findings
| Message | Entity Field | Entity Type | Risk Score |
|---|---|---|---|
| Sensitive data detected in prompt on $host$ with $user_arn$ (account $account_id$) to model $modelId$. The prompt may contain credentials, SSNs, or other sensitive information. | host | system | 20 |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | http:bulkawsbedrock |
json_no_timestamp |
| Integration | ✅ Passing | Dataset | http:bulkawsbedrock |
json_no_timestamp |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub |
Version: 1