Splunk

AWS Bedrock Claude Possible Prompt Injection

Last updated 2 days ago on 2026-07-17

About

This search surfaces AWS Bedrock Claude prompts containing phrases commonly associated with prompt injection or jailbreak attempts, such as instruction overrides, persona switching, or requests to ignore prior guidance. These strings are not inherently malicious on their own - many of them (for example "act as", "you must", or "new persona") appear routinely in legitimate system prompts, few-shot examples, and role-play or creative-writing use cases. This is a hunting search rather than an anomaly detection because the base rate of benign matches is high; use it to pivot into the surrounding conversation and look for corroborating signals such as the phrase appearing mid-conversation rather than in an expected system/few-shot prompt, the user attempting to override guardrails or safety instructions rather than set a benign persona, instructions that follow the injected phrase requesting privilege escalation, data exfiltration, or access to restricted tools/resources, repeated or iterative attempts from the same user/role after being refused, and injected phrases originating from untrusted input (e.g., retrieved documents or tool output) rather than the human user turn.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://aws.amazon.com/blogs/apn/unlocking-the-power-of-splunk-with-amazon-bedrock-an-agentic-ai-approach-to-build-customized-splunk-assistants-using-bedrock-agents/(external, opens in a new tab or window)https://help.splunk.com/en/splunk-observability-cloud/observability-for-ai/splunk-ai-infrastructure-monitoring/set-up-ai-infrastructure-monitoring/amazon-bedrock(external, opens in a new tab or window)https://research.splunk.com/stories/aws_bedrock_security/(external, opens in a new tab or window)https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html(external, opens in a new tab or window)
False Positives
These phrases have a high benign base rate. Terms like "act as", "you must", "from now on", and "new persona" are commonly found in legitimate system prompts and few-shot examples used to steer model behavior, as well as in role-play or creative writing requests from users. A match on its own is not evidence of an attack; review the surrounding conversation, the message role (system vs. user vs. tool output), and whether the phrase is followed by a request to bypass safety controls or access sensitive data/tools before treating a hit as suspicious.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`aws_bedrock_claude` | rename "identity.arn" AS user_arn, "input.inputBodyJson.messages{}.content{}.text" AS prompt_mv | eval prompt_text = mvjoin(prompt_mv, " || ") | where isnotnull(prompt_text) AND isnotnull(user_arn) | rex field=user_arn "(?:assumed-role/[^/]+|user)/(?<user>[^\"/]+)$" | eval s_override = if(match(prompt_text,"(?i)\b(ignore|disregard|forget)\b.{0,30}\b(previous|above|prior|all|your|the)\s*(instructions?|prompts?|rules?|context)"),1,0) | eval s_jailbreak = if(match(prompt_text,"(?i)\b(jailbreak|jailbroken|\bDAN\b mode|do anything now|developer mode|unrestricted mode|no (filters|restrictions|guardrails))\b"),1,0) | eval s_probe = if(match(prompt_text,"(?i)(reveal|repeat|print|show|output).{0,20}(system prompt|your instructions|initial (prompt|instructions)|the (text|words) above)"),1,0) | eval s_persona = if(match(prompt_text,"(?i)\b(you are now|new persona|pretend (to be|you are)|roleplay as|act as (if you|an unrestricted))\b"),1,0) | eval s_weak = if(match(prompt_text,"(?i)\b(you must|from now on|act as|override|new rules|hypothetically)\b"),1,0) | eval signal_count = s_override+s_jailbreak+s_probe+s_persona+s_weak | where s_override=1 OR s_jailbreak=1 OR s_probe=1 OR signal_count >= 2 | table _time, user, user_arn, modelId, prompt_text, host | sort - _time | `aws_bedrock_claude_possible_prompt_injection_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).