| ID | Technique | Tactic |
|---|---|---|
| T1055 | Process Injection | Privilege Escalation |
Detection: AWS Bedrock Claude Unusually Large Prompts
Description
This detection identifies unusually large prompts sent to AWS Bedrock Claude models by calculating the statistical baseline of input token counts and flagging requests that exceed 15 standard deviations above the mean. Abnormally large prompts may indicate prompt injection attacks, data exfiltration attempts, or abuse of the AI service.
Search
1`aws_bedrock_claude`
2
3| rename "input.inputTokenCount" AS input_tokens
4
5| rename "identity.arn" AS user_arn
6
7| rename "accountId" AS account_id
8
9| rex field=user_arn "assumed-role/[^/]+/(?<user>[^\"]+)$"
10
11| eval input_tokens=tonumber(input_tokens)
12
13| where input_tokens>0
14
15| eventstats avg(input_tokens) AS avg_tokens stdev(input_tokens) AS stdev
16
17| where input_tokens > avg_tokens + (1*stdev)
18
19| where input_tokens > 1000
20
21| table _time, modelId, user, user_arn, account_id, input_tokens, avg_tokens, host
22
23| sort - input_tokens
24
25| `aws_bedrock_claude_unusually_large_prompts_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| AWS Bedrock Claude | 'json_no_timestamp' |
'aws_bedrock' |
Macros Used
| Name | Value |
|---|---|
| aws_bedrock_claude | (sourcetype="json_no_timestamp") |
| aws_bedrock_claude_unusually_large_prompts_filter | search * |
aws_bedrock_claude_unusually_large_prompts_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Finding (Notable) | No |
| Creates Intermediate Finding (Risk Event) | Yes |
Implementation
You must install and configure the Splunk Add-on for AWS (https://splunkbase.splunk.com/app/1876). Enable Amazon Bedrock model invocation logging in AWS so that Claude request/response payloads are delivered to S3 and/or CloudWatch Logs (see https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html for setup steps), then ingest those logs into Splunk via the AWS TA. Configure the aws_bedrock_claude macro to point to the index and sourcetype (json_no_timestamp) where these logs land.
Known False Positives
Possible false positives may arise from legitimate user interactions with the AI model that require large input prompts, such as complex queries or multi-turn conversations. It is important to review the context of the detected prompts to determine if they represent actual prompt injection attempts or benign usage.
Associated Analytic Story
Intermediate Findings
| Message | Entity Field | Entity Type | Risk Score |
|---|---|---|---|
| Unusually large prompt detected on $host$ with $input_tokens$ input tokens, exceeding the statistical baseline of $avg_tokens$ average tokens. | host | system | 20 |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | http:bulkawsbedrock |
json_no_timestamp |
| Integration | ✅ Passing | Dataset | http:bulkawsbedrock |
json_no_timestamp |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub |
Version: 1