AWS Bedrock attack data

datasets/attack_techniques/T1087.004/aws_invoke_model_access_denied/aws_invoke_model_access_denied.yml

@@ -0,0 +1,11 @@
+author: Bhavin Patel
+id: c467c7d4-5b8d-44c8-9259-8847e1e4df7a
+date: '2024-03-07'
+description: This dataset is generated in a AWS Bedrock Lab Environment by simulating events using AWS API calls
+environment: NA
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.004/aws_invoke_model_access_denied/cloudtrail.json
+sourcetypes:
+- aws:cloudtrail
+references:
+- https://www.sumologic.com/blog/defenders-guide-to-aws-bedrock/

datasets/attack_techniques/T1485/aws_delete_knowledge_base/aws_delete_knowledge_base.yml

@@ -0,0 +1,11 @@
+author: Bhavin Patel
+id: 984e9022-b87b-499a-a260-8d0282c46ea2
+date: '2025-04-10'
+description: Dataset generated from AWS CloudTrail logs capturing the activity of a malicious actor deleting a knowledge base from AWS Bedrock.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/aws_delete_knowledge_base/cloudtrail.json
+sourcetypes:
+- aws:cloudtrail
+references:
+- https://attack.mitre.org/techniques/T1485/

datasets/attack_techniques/T1562.008/aws_bedrock_delete_guardrails/aws_bedrock_delete_guardrails.yml

@@ -0,0 +1,11 @@
+author: Bhavin Patel, Splunk
+id: cdd4205f-e570-42ee-add9-048f2ac48a62
+date: '2025-04-10'
+description: Dataset which contains cloudtrail events with a deletes of AWS Bedrock GuardRails
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/aws_bedrock_delete_guardrails/cloudtrail.json
+sourcetypes:
+- aws:cloudtrail
+references:
+- https://attack.mitre.org/techniques/T1562/008/

datasets/attack_techniques/T1562.008/aws_bedrock_delete_model_invocation_logging/aws_bedrock_delete_model_invocation_logging.yml

@@ -0,0 +1,12 @@
+author: Bhavin Patel, Splunk
+id: 09f580b9-cbc0-4d90-8e26-7dd4584a5650
+date: '2025-04-10'
+description: Dataset which contains cloudtrail logs for aws delete model invocation logging
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/aws_bedrock_delete_model_invocation_logging/cloudtrail.json
+sourcetypes:
+- aws:cloudtrail
+references:
+- https://attack.mitre.org/techniques/T1562/008/
+- https://github.com/aquasecurity/cloudsploit

datasets/attack_techniques/T1580/aws_bedrock_list_foundation_model_failures/aws_bedrock_list_foundation_model_failures.yml

@@ -0,0 +1,12 @@
+author: Bhavin Patel, Splunk
+id: 09f580b9-cbc0-4d90-8e26-7dd4584a5650
+date: '2025-04-10'
+description: Dataset which contains cloudtrail logs for aws invoke foundation model failures
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1580/aws_bedrock_list_foundation_model_failures/cloudtrail.json
+sourcetypes:
+- aws:cloudtrail
+references:
+- https://attack.mitre.org/techniques/T1580
+- https://github.com/aquasecurity/cloudsploit