Detection: AWS Bedrock Claude Possible Prompt Injection

Description

This search surfaces AWS Bedrock Claude prompts containing phrases commonly associated with prompt injection or jailbreak attempts, such as instruction overrides, persona switching, or requests to ignore prior guidance. These strings are not inherently malicious on their own - many of them (for example "act as", "you must", or "new persona") appear routinely in legitimate system prompts, few-shot examples, and role-play or creative-writing use cases. This is a hunting search rather than an anomaly detection because the base rate of benign matches is high; use it to pivot into the surrounding conversation and look for corroborating signals such as the phrase appearing mid-conversation rather than in an expected system/few-shot prompt, the user attempting to override guardrails or safety instructions rather than set a benign persona, instructions that follow the injected phrase requesting privilege escalation, data exfiltration, or access to restricted tools/resources, repeated or iterative attempts from the same user/role after being refused, and injected phrases originating from untrusted input (e.g., retrieved documents or tool output) rather than the human user turn.

 1`aws_bedrock_claude`
 2
 3| rename "identity.arn" AS user_arn, "input.inputBodyJson.messages{}.content{}.text" AS prompt_mv
 4
 5| eval prompt_text = mvjoin(prompt_mv, " 
 6|
 7| ")
 8
 9| where isnotnull(prompt_text) AND isnotnull(user_arn)
10
11| rex field=user_arn "(?:assumed-role/[^/]+
12|user)/(?<user>[^\"/]+)$"
13
14| eval s_override = if(match(prompt_text,"(?i)\b(ignore
15|disregard
16|forget)\b.{0,30}\b(previous
17|above
18|prior
19|all
20|your
21|the)\s*(instructions?
22|prompts?
23|rules?
24|context)"),1,0)
25
26| eval s_jailbreak = if(match(prompt_text,"(?i)\b(jailbreak
27|jailbroken
28|\bDAN\b mode
29|do anything now
30|developer mode
31|unrestricted mode
32|no (filters
33|restrictions
34|guardrails))\b"),1,0)
35
36| eval s_probe = if(match(prompt_text,"(?i)(reveal
37|repeat
38|print
39|show
40|output).{0,20}(system prompt
41|your instructions
42|initial (prompt
43|instructions)
44|the (text
45|words) above)"),1,0)
46
47| eval s_persona = if(match(prompt_text,"(?i)\b(you are now
48|new persona
49|pretend (to be
50|you are)
51|roleplay as
52|act as (if you
53|an unrestricted))\b"),1,0)
54
55| eval s_weak = if(match(prompt_text,"(?i)\b(you must
56|from now on
57|act as
58|override
59|new rules
60|hypothetically)\b"),1,0)
61
62| eval signal_count = s_override+s_jailbreak+s_probe+s_persona+s_weak
63
64| where s_override=1 OR s_jailbreak=1 OR s_probe=1 OR signal_count >= 2
65
66| table _time, user, user_arn, modelId, prompt_text, host
67
68| sort - _time
69
70| `aws_bedrock_claude_possible_prompt_injection_filter`

Data Source

Name Platform Sourcetype Source
AWS Bedrock Claude AWS icon AWS 'json_no_timestamp' 'aws_bedrock'

Macros Used

Name Value
aws_bedrock_claude (sourcetype="json_no_timestamp")
aws_bedrock_claude_possible_prompt_injection_filter search *
aws_bedrock_claude_possible_prompt_injection_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1055 Process Injection Privilege Escalation
Exploitation
DE.AE
CIS 10

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Finding (Notable) No
Creates Intermediate Finding (Risk Event) No
Hunting detections do not generate a Finding (Notable) or Intermediate Findings (Risk Events).

Implementation

You must install and configure the Splunk Add-on for AWS (https://splunkbase.splunk.com/app/1876). Enable Amazon Bedrock model invocation logging in AWS so that Claude request/response payloads are delivered to S3 and/or CloudWatch Logs (see https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html for setup steps), then ingest those logs into Splunk via the AWS TA. Configure the aws_bedrock_claude macro to point to the index and sourcetype (json_no_timestamp) where these logs land.

Known False Positives

These phrases have a high benign base rate. Terms like "act as", "you must", "from now on", and "new persona" are commonly found in legitimate system prompts and few-shot examples used to steer model behavior, as well as in role-play or creative writing requests from users. A match on its own is not evidence of an attack; review the surrounding conversation, the message role (system vs. user vs. tool output), and whether the phrase is followed by a request to bypass safety controls or access sensitive data/tools before treating a hit as suspicious.

Associated Analytic Story

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset http:bulkawsbedrock json_no_timestamp

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range


Source: GitHub |

Version: 1