Splunk

AWS Bedrock Claude High Risk Filesystem and Exec Tool Invocation

Last updated 2 days ago on 2026-07-17

About

Detects identities invoking high-risk filesystem and execution tools via AWS Bedrock Claude. For each identity, monitors the usage of potentially dangerous commands and flags any anomalous activity that deviates from their historical baseline. This may indicate attempts to escalate privileges, exfiltrate data, or execute unauthorized commands.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://aws.amazon.com/blogs/apn/unlocking-the-power-of-splunk-with-amazon-bedrock-an-agentic-ai-approach-to-build-customized-splunk-assistants-using-bedrock-agents/(external, opens in a new tab or window)https://help.splunk.com/en/splunk-observability-cloud/observability-for-ai/splunk-ai-infrastructure-monitoring/set-up-ai-infrastructure-monitoring/amazon-bedrock(external, opens in a new tab or window)https://research.splunk.com/stories/aws_bedrock_security/(external, opens in a new tab or window)https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html(external, opens in a new tab or window)
False Positives
This detection may produce false positives for legitimate developer activity where authorized users invoke shell execution, file write, or network tools through Claude Code as part of normal software development, deployment automation, or infrastructure management workflows.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`aws_bedrock_claude` | spath output="tool_called" path="output.outputBodyJson{}.content_block.toolUse.name" | spath output="out_tokens_stream" path="output.outputBodyJson{}.usage.output_tokens" | where tool_called IN ("bash","curl","edit","write","webfetch","grep","read","read_file") | eval out_tokens = coalesce(mvindex('out_tokens_stream', -1), 'output.outputTokenCount', 0) | eval in_tokens = coalesce('input.inputTokenCount', 0) | eval user_session = replace('identity.arn', ".*/", "") | eval identity_type = case( 'identity.arn' LIKE "%botocore-session%", "automated", 'identity.arn' LIKE "%assumed-role%", "assumed_role", 'identity.arn' LIKE "%user%", "iam_user", true(), "other") | stats count AS invocations, dc(tool_called) AS unique_tools_used, sum(in_tokens) AS total_input_tokens, sum(out_tokens) AS total_output_tokens, values(tool_called) AS tools_invoked, values('identity.arn') AS caller_list, values(identity_type) AS identity_types, dc('identity.arn') AS unique_callers, min(_time) AS first_seen, max(_time) AS last_seen BY modelId, region, user_session | eval tokens_per_call = round(total_output_tokens / invocations, 0) | eval first_seen = strftime(first_seen - 28800, "%Y-%m-%d %H:%M:%S") | eval last_seen = strftime(last_seen - 28800, "%Y-%m-%d %H:%M:%S") | eval user = user_session | eval severity = case( mvfind(tools_invoked, "bash") >= 0 AND mvfind(tools_invoked, "curl") >= 0, "critical", mvfind(tools_invoked, "bash") >= 0 AND mvfind(tools_invoked, "write") >= 0, "critical", mvfind(tools_invoked, "curl") >= 0 AND mvfind(tools_invoked, "edit") >= 0, "critical", mvfind(identity_types, "assumed_role") >= 0 AND mvfind(tools_invoked, "bash") >= 0, "critical", mvfind(tools_invoked, "bash") >= 0, "high", mvfind(tools_invoked, "curl") >= 0, "high", mvfind(tools_invoked, "edit") >= 0, "high", mvfind(tools_invoked, "write") >= 0, "high", mvfind(tools_invoked, "webfetch") >= 0, "high", unique_tools_used >= 3, "high", true(), "medium") | eval risk_reason = case( mvfind(tools_invoked, "bash") >= 0 AND mvfind(tools_invoked, "curl") >= 0, "bash and curl invoked together - possible download and execute chain", mvfind(tools_invoked, "bash") >= 0 AND mvfind(tools_invoked, "write") >= 0, "bash and write invoked together - possible execution and persistence chain", mvfind(tools_invoked, "curl") >= 0 AND mvfind(tools_invoked, "edit") >= 0, "curl and edit invoked together - possible remote content retrieval and file modification", mvfind(identity_types, "assumed_role") >= 0 AND mvfind(tools_invoked, "bash") >= 0, "Human identity invoking bash via AI model - direct shell execution risk", mvfind(tools_invoked, "bash") >= 0, "bash invoked via Bedrock Claude - shell execution through AI model", mvfind(tools_invoked, "curl") >= 0, "curl invoked via Bedrock Claude - network call through AI model", mvfind(tools_invoked, "edit") >= 0, "edit invoked via Bedrock Claude - file modification through AI model", mvfind(tools_invoked, "write") >= 0, "write invoked via Bedrock Claude - file write through AI model", mvfind(tools_invoked, "webfetch") >= 0, "webfetch invoked via Bedrock Claude - remote content retrieval through AI model", unique_tools_used >= 3, "Broad filesystem and execution tool set invoked via AI model - reconnaissance pattern", true(), "Filesystem tool invoked via Bedrock Claude") | where severity IN ("critical","high") | table severity, risk_reason, modelId, region, user,unique_tools_used, caller_list, identity_types, invocations, tools_invoked, total_input_tokens, total_output_tokens, tokens_per_call, first_seen, last_seen | sort -unique_tools_used, -invocations | `aws_bedrock_claude_high_risk_filesystem_and_exec_tool_invocation_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).