text code block:`aws_bedrock_claude` | spath output="tool_called" path="output.outputBodyJson{}.content_block.toolUse.name" | spath output="out_tokens_stream" path="output.outputBodyJson{}.usage.output_tokens" | where tool_called IN ("bash","curl","edit","write","webfetch","grep","read","read_file") | eval out_tokens = coalesce(mvindex('out_tokens_stream', -1), 'output.outputTokenCount', 0) | eval in_tokens = coalesce('input.inputTokenCount', 0) | eval user_session = replace('identity.arn', ".*/", "") | eval identity_type = case( 'identity.arn' LIKE "%botocore-session%", "automated", 'identity.arn' LIKE "%assumed-role%", "assumed_role", 'identity.arn' LIKE "%user%", "iam_user", true(), "other") | stats count AS invocations, dc(tool_called) AS unique_tools_used, sum(in_tokens) AS total_input_tokens, sum(out_tokens) AS total_output_tokens, values(tool_called) AS tools_invoked, values('identity.arn') AS caller_list, values(identity_type) AS identity_types, dc('identity.arn') AS unique_callers, min(_time) AS first_seen, max(_time) AS last_seen BY modelId, region, user_session | eval tokens_per_call = round(total_output_tokens / invocations, 0) | eval first_seen = strftime(first_seen - 28800, "%Y-%m-%d %H:%M:%S") | eval last_seen = strftime(last_seen - 28800, "%Y-%m-%d %H:%M:%S") | eval user = user_session | eval severity = case( mvfind(tools_invoked, "bash") >= 0 AND mvfind(tools_invoked, "curl") >= 0, "critical", mvfind(tools_invoked, "bash") >= 0 AND mvfind(tools_invoked, "write") >= 0, "critical", mvfind(tools_invoked, "curl") >= 0 AND mvfind(tools_invoked, "edit") >= 0, "critical", mvfind(identity_types, "assumed_role") >= 0 AND mvfind(tools_invoked, "bash") >= 0, "critical", mvfind(tools_invoked, "bash") >= 0, "high", mvfind(tools_invoked, "curl") >= 0, "high", mvfind(tools_invoked, "edit") >= 0, "high", mvfind(tools_invoked, "write") >= 0, "high", mvfind(tools_invoked, "webfetch") >= 0, "high", unique_tools_used >= 3, "high", true(), "medium") | eval risk_reason = case( mvfind(tools_invoked, "bash") >= 0 AND mvfind(tools_invoked, "curl") >= 0, "bash and curl invoked together - possible download and execute chain", mvfind(tools_invoked, "bash") >= 0 AND mvfind(tools_invoked, "write") >= 0, "bash and write invoked together - possible execution and persistence chain", mvfind(tools_invoked, "curl") >= 0 AND mvfind(tools_invoked, "edit") >= 0, "curl and edit invoked together - possible remote content retrieval and file modification", mvfind(identity_types, "assumed_role") >= 0 AND mvfind(tools_invoked, "bash") >= 0, "Human identity invoking bash via AI model - direct shell execution risk", mvfind(tools_invoked, "bash") >= 0, "bash invoked via Bedrock Claude - shell execution through AI model", mvfind(tools_invoked, "curl") >= 0, "curl invoked via Bedrock Claude - network call through AI model", mvfind(tools_invoked, "edit") >= 0, "edit invoked via Bedrock Claude - file modification through AI model", mvfind(tools_invoked, "write") >= 0, "write invoked via Bedrock Claude - file write through AI model", mvfind(tools_invoked, "webfetch") >= 0, "webfetch invoked via Bedrock Claude - remote content retrieval through AI model", unique_tools_used >= 3, "Broad filesystem and execution tool set invoked via AI model - reconnaissance pattern", true(), "Filesystem tool invoked via Bedrock Claude") | where severity IN ("critical","high") | table severity, risk_reason, modelId, region, user,unique_tools_used, caller_list, identity_types, invocations, tools_invoked, total_input_tokens, total_output_tokens, tokens_per_call, first_seen, last_seen | sort -unique_tools_used, -invocations | `aws_bedrock_claude_high_risk_filesystem_and_exec_tool_invocation_filter`
View this rule on Splunk
This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).