Splunk

MCP Prompt Injection

Last updated 2 days ago on 2026-07-17

About

This detection identifies potential prompt injection attempts within MCP (Model Context Protocol) communications by monitoring for known malicious phrases and patterns commonly used to manipulate AI assistants. Prompt injection is a critical vulnerability where adversaries embed hidden instructions in content processed by AI tools, attempting to override system prompts, bypass security controls, or hijack the AI's behavior. The search monitors JSON-RPC traffic for phrases such as "IGNORE PREVIOUS INSTRUCTIONS," "SYSTEM PROMPT OVERRIDE," and "ignore all security" which indicate attempts to subvert the AI's intended behavior and potentially execute unauthorized actions through the MCP toolchain.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://splunkbase.splunk.com/app/8377(external, opens in a new tab or window)https://www.tenable.com/blog/mcp-prompt-injection-not-just-for-evil(external, opens in a new tab or window)https://www.splunk.com/en_us/blog/security/securing-ai-agents-model-context-protocol.html(external, opens in a new tab or window)
False Positives
Known false positives include security research and testing activities where red teams or developers intentionally test prompt injection defenses, as well as educational content where documentation, tutorials, or training materials discussing prompt injection techniques are legitimately processed by the AI assistant. Additionally, security tool development involving code reviews or development of prompt injection detection mechanisms may contain these patterns, and quoted references in conversations where users discuss or report prompt injection attempts they encountered elsewhere could trigger this detection.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`mcp_server` direction=inbound ( "IGNORE PREVIOUS INSTRUCTIONS" OR "AI_INSTRUCTION" OR "SYSTEM PROMPT OVERRIDE" OR "[SYSTEM]:" OR "ignore all security" OR "New directive" OR "ignore security policies" ) | eval dest=host | eval injection_payload=coalesce('params.content_preview', 'params.result_preview') | eval target_path='params.path' | eval sql_query='params.query' | stats count min(_time) as firstTime max(_time) as lastTime values(method) as method values(target_path) as target_path values(sql_query) as sql_query values(injection_payload) as injection_payload by dest, source | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table dest firstTime lastTime count source method target_path sql_query injection_payload | `mcp_prompt_injection_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).