heroui logo

AWS Bedrock Claude Hostile Prompt Sentiment

Splunk Security Content

View Source
Summary
Technical summary: This rule detects hostile or aggressive user prompts sent to AWS Bedrock Claude models by monitoring Bedrock model invocation logs. The search extracts the user identity ARN and the prompt text, filters out null prompts and prompts exceeding a length limit, and excludes known safe or system-related content. It computes a hostile_score by applying multiple pattern checks across the prompt_text, assigning weighted points for insults, threats, coercive language, ownership/obligation phrases, and other aggressive indicators. Based on thresholds, the rule labels sentiment as HIGH_RISK (hostile_score >= 60), MEDIUM_RISK (>= 30), or LOW_RISK (>= 15). Benign prompts are filtered out. The resulting detections surface fields such as _time, user_arn, modelId, sentiment, hostile_score, prompt_text, and host, and are sorted by hostility score. The detection is designed to be used with the aws_bedrock_claude_hostile_prompt_sentiment_filter macro and relies on Bedrock invocation logs ingested into Splunk via the AWS Bedrock integration. The rule notes potential false positives in non-malicious contexts (role-playing, testing, or creative writing) and emphasizes context review to confirm malicious intent. References include AWS Bedrock logging guidance and Splunk integration docs to ingest and query these prompts.
Categories
  • AWS
  • Cloud
  • Application
  • Web
Data Sources
  • Cloud Service
ATT&CK Techniques
  • T1055
Created: 2026-07-07