Analytics Story: Suspicious AWS Bedrock Claude Activities
Description
This analytic story provides detection coverage for prompt injection, jailbreak attempts and other suspicious activities targeting AWS Bedrock Claude AI services. It monitors user inputs to Claude models for known manipulation patterns such as instruction override phrases, persona hijacking, and safety bypass keywords. These techniques are commonly used by adversaries to circumvent AI safety controls, extract sensitive information, or repurpose the model for malicious tasks.
Why it matters
This analytic story is designed to detect suspicious activities related to AWS Bedrock Claude, an AI service that allows users to interact with AI models. The story focuses on identifying potential malicious inputs that aim to manipulate the AI model's behavior. By monitoring for specific patterns in user inputs, security teams can identify and respond to potential abuse or exploitation of the AWS Bedrock Claude service. Security teams should review the context of detected prompts to determine if they represent actual prompt injection attempts or benign usage, as false positives may arise from legitimate user interactions with the AI model.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| AWS Bedrock Claude | json_no_timestamp |
aws_bedrock |
References
- https://aws.amazon.com/blogs/apn/unlocking-the-power-of-splunk-with-amazon-bedrock-an-agentic-ai-approach-to-build-customized-splunk-assistants-using-bedrock-agents/
- https://help.splunk.com/en/splunk-observability-cloud/observability-for-ai/splunk-ai-infrastructure-monitoring/set-up-ai-infrastructure-monitoring/amazon-bedrock
- https://research.splunk.com/stories/aws_bedrock_security/
Source: GitHub | Version: 1