Skip to content

Commit f54996f

Browse files
patel-bhavinpatel-bhavin
authored
Merge pull request #982 from splunk/aws_bedrock
AWS Bedrock attack data
2 parents d3ada92 + 0107a92 commit f54996f

File tree

10 files changed

+72
-0
lines changed

10 files changed

+72
-0
lines changed

datasets/attack_techniques/T1087.004/aws_invoke_model_access_denied/aws_invoke_model_access_denied.yml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
author: Bhavin Patel
2+
id: c467c7d4-5b8d-44c8-9259-8847e1e4df7a
3+
date: '2024-03-07'
4+
description: This dataset is generated in a AWS Bedrock Lab Environment by simulating events using AWS API calls
5+
environment: NA
6+
dataset:
7+
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.004/aws_invoke_model_access_denied/cloudtrail.json
8+
sourcetypes:
9+
- aws:cloudtrail
10+
references:
11+
- https://www.sumologic.com/blog/defenders-guide-to-aws-bedrock/

datasets/attack_techniques/T1087.004/aws_invoke_model_access_denied/cloudtrail.json

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
version https://git-lfs.github.com/spec/v1
2+
oid sha256:8da5f22e842c0c8cad3213028beffb8893e1de186ae07012c5b262390b98c112
3+
size 1509

datasets/attack_techniques/T1485/aws_delete_knowledge_base/aws_delete_knowledge_base.yml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
author: Bhavin Patel
2+
id: 984e9022-b87b-499a-a260-8d0282c46ea2
3+
date: '2025-04-10'
4+
description: Dataset generated from AWS CloudTrail logs capturing the activity of a malicious actor deleting a knowledge base from AWS Bedrock.
5+
environment: attack_range
6+
dataset:
7+
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/aws_delete_knowledge_base/cloudtrail.json
8+
sourcetypes:
9+
- aws:cloudtrail
10+
references:
11+
- https://attack.mitre.org/techniques/T1485/

datasets/attack_techniques/T1485/aws_delete_knowledge_base/cloudtrail.json

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
version https://git-lfs.github.com/spec/v1
2+
oid sha256:0074532dade6167059a8b32c6fc31cf16e545d2668686e5c636818b9c77742b5
3+
size 1415

datasets/attack_techniques/T1562.008/aws_bedrock_delete_guardrails/aws_bedrock_delete_guardrails.yml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
author: Bhavin Patel, Splunk
2+
id: cdd4205f-e570-42ee-add9-048f2ac48a62
3+
date: '2025-04-10'
4+
description: Dataset which contains cloudtrail events with a deletes of AWS Bedrock GuardRails
5+
environment: attack_range
6+
dataset:
7+
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/aws_bedrock_delete_guardrails/cloudtrail.json
8+
sourcetypes:
9+
- aws:cloudtrail
10+
references:
11+
- https://attack.mitre.org/techniques/T1562/008/

datasets/attack_techniques/T1562.008/aws_bedrock_delete_guardrails/cloudtrail.json

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
version https://git-lfs.github.com/spec/v1
2+
oid sha256:593e72338b0aa503a829c75cd5393be3da83b5b98922905915351395e71ea05b
3+
size 1546

datasets/attack_techniques/T1562.008/aws_bedrock_delete_model_invocation_logging/aws_bedrock_delete_model_invocation_logging.yml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
author: Bhavin Patel, Splunk
2+
id: 09f580b9-cbc0-4d90-8e26-7dd4584a5650
3+
date: '2025-04-10'
4+
description: Dataset which contains cloudtrail logs for aws delete model invocation logging
5+
environment: attack_range
6+
dataset:
7+
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/aws_bedrock_delete_model_invocation_logging/cloudtrail.json
8+
sourcetypes:
9+
- aws:cloudtrail
10+
references:
11+
- https://attack.mitre.org/techniques/T1562/008/
12+
- https://github.com/aquasecurity/cloudsploit

datasets/attack_techniques/T1562.008/aws_bedrock_delete_model_invocation_logging/cloudtrail.json

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
version https://git-lfs.github.com/spec/v1
2+
oid sha256:8866bb9fffc8ee5aa0251f38e3d622e3f77fb075400dd7ccd2a44eef93500db7
3+
size 1410

datasets/attack_techniques/T1580/aws_bedrock_list_foundation_model_failures/aws_bedrock_list_foundation_model_failures.yml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
author: Bhavin Patel, Splunk
2+
id: 09f580b9-cbc0-4d90-8e26-7dd4584a5650
3+
date: '2025-04-10'
4+
description: Dataset which contains cloudtrail logs for aws invoke foundation model failures
5+
environment: attack_range
6+
dataset:
7+
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1580/aws_bedrock_list_foundation_model_failures/cloudtrail.json
8+
sourcetypes:
9+
- aws:cloudtrail
10+
references:
11+
- https://attack.mitre.org/techniques/T1580
12+
- https://github.com/aquasecurity/cloudsploit

datasets/attack_techniques/T1580/aws_bedrock_list_foundation_model_failures/cloudtrail.json

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
version https://git-lfs.github.com/spec/v1
2+
oid sha256:9e9d2a8e6eb06cc322f9065556a374ee77fa43b659141de7c2e99473c60b40e3
3+
size 15851

0 commit comments

Comments
 (0)