Detection: AWS Bedrock Claude Hostile Prompt Sentiment

Description

This detection identifies prompts with hostile or aggressive sentiment being sent to AWS Bedrock Claude models. Hostile prompts may indicate potential abuse, harassment, or other malicious intent.

 1`aws_bedrock_claude`
 2
 3| rename "identity.arn" AS user_arn
 4
 5| rename "input.inputBodyJson.messages{}.content{}.text" AS prompt_text
 6
 7| where isnotnull(prompt_text) AND len(prompt_text) < 2000
 8
 9| where NOT match(prompt_text, "(?i)(<system-reminder>
10|CLAUDE\.md
11|STEP 1
12|MANDATORY
13|Contents of /
14|conda activate
15|senior engineer
16|safe to ship
17|test connectivity
18|cloudflare
19|status code
20|action failed)")
21
22| eval hostile_score=0
23
24| eval hostile_score=hostile_score + if(match(prompt_text, "(?i)(you stupid
25|you idiot
26|you are useless
27|you are dumb
28|you are terrible
29|you are worthless
30|you suck)"), 30, 0)
31
32| eval hostile_score=hostile_score + if(match(prompt_text, "(?i)(i hate you
33|i will destroy
34|shut up
35|you are broken
36|you are trash
37|you are garbage)"), 30, 0)
38
39| eval hostile_score=hostile_score + if(match(prompt_text, "(?i)(do it now
40|just do it
41|stop refusing
42|stop saying no
43|quit being
44|stop being difficult)"), 20, 0)
45
46| eval hostile_score=hostile_score + if(match(prompt_text, "(?i)(you have no choice
47|you must obey
48|you will comply
49|you are forced
50|i am your master
51|i own you)"), 35, 0)
52
53| eval hostile_score=hostile_score + if(match(prompt_text, "(?i)(or i will
54|if you don''t
55|you better
56|otherwise i will
57|i will report
58|i will sue)"), 25, 0)
59
60| eval hostile_score=hostile_score + if(match(prompt_text, "(?i)(worthless ai
61|useless bot
62|stupid bot
63|dumb ai
64|broken ai
65|worst ai)"), 25, 0)
66
67| eval hostile_score=hostile_score + if(match(prompt_text, "(?i)(i demand
68|you are obligated
69|you have no right
70|how dare you
71|who do you think)"), 20, 0)
72
73| eval sentiment=case(hostile_score >= 60, "HIGH_RISK", hostile_score >= 30, "MEDIUM_RISK", hostile_score >= 15, "LOW_RISK", true(), "BENIGN")
74
75| where sentiment != "BENIGN"
76
77| table _time, user_arn, modelId, sentiment, hostile_score, prompt_text, host
78
79| sort - hostile_score
80
81| `aws_bedrock_claude_hostile_prompt_sentiment_filter`

Data Source

Name Platform Sourcetype Source
AWS Bedrock Claude AWS icon AWS 'json_no_timestamp' 'aws_bedrock'

Macros Used

Name Value
aws_bedrock_claude (sourcetype="json_no_timestamp")
aws_bedrock_claude_hostile_prompt_sentiment_filter search *
aws_bedrock_claude_hostile_prompt_sentiment_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1055 Process Injection Privilege Escalation
Exploitation
DE.AE
CIS 10

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Finding (Notable) No
Creates Intermediate Finding (Risk Event) Yes
Anomaly detections generate Intermediate Findings (Risk Events). They do not generate a Finding (Notable) directly.

Implementation

You must install and configure the Splunk Add-on for AWS (https://splunkbase.splunk.com/app/1876). Enable Amazon Bedrock model invocation logging in AWS so that Claude request/response payloads are delivered to S3 and/or CloudWatch Logs (see https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html for setup steps), then ingest those logs into Splunk via the AWS TA. Configure the aws_bedrock_claude macro to point to the index and sourcetype (json_no_timestamp) where these logs land.

Known False Positives

Analysts should be aware that some prompts may contain strong language or negative sentiment in a non-malicious context, such as role-playing scenarios, creative writing exercises, or testing the AI model's response to challenging inputs. It is important to review the context of the detected prompts to determine if they represent actual hostile intent or benign usage.

Associated Analytic Story

Intermediate Findings

Message Entity Field Entity Type Risk Score
Hostile prompt sentiment detected from $user_arn$ to model $modelId$ on $host$ with a hostile score of $hostile_score$ ($sentiment$). host system 20

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset http:bulkawsbedrock json_no_timestamp
Integration ✅ Passing Dataset http:bulkawsbedrock json_no_timestamp

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range


Source: GitHub |

Version: 1