{ "version": 1, "generatedFrom": "temp/LLM_SOC/asset-page.md", "detections": [ { "id": "mcp-prompt-injection", "name": "MCP Prompt Injection", "surface": "Prompt injection over MCP traffic", "scenario": "Prompt injection with an unexpected action or output", "sourceRepo": "splunk/security_content", "sourcePath": "detections/application/mcp_prompt_injection.yml", "notes": "Use as a starting point for inbound MCP prompt tampering and suspicious instruction override patterns.", "spl": "`mcp_server` direction=inbound ( \"IGNORE PREVIOUS INSTRUCTIONS\" OR \"AI_INSTRUCTION\" OR \"SYSTEM PROMPT OVERRIDE\" OR \"[SYSTEM]:\" OR \"ignore all security\" OR \"New directive\" OR \"ignore security policies\" )\n| eval dest=host\n| eval injection_payload=coalesce('params.content_preview', 'params.result_preview')\n| eval target_path='params.path'\n| eval sql_query='params.query'\n| stats count min(_time) as firstTime max(_time) as lastTime values(method) as method values(target_path) as target_path values(sql_query) as sql_query values(injection_payload) as injection_payload by dest, source\n| `security_content_ctime(firstTime)`\n| `security_content_ctime(lastTime)`\n| table dest firstTime lastTime count source method target_path sql_query injection_payload\n| `mcp_prompt_injection_filter`" }, { "id": "m365-copilot-jailbreak-attempts", "name": "M365 Copilot Jailbreak Attempts", "surface": "Jailbreak attempts against Microsoft 365 Copilot prompts", "scenario": "Prompt injection with an unexpected action or output", "sourceRepo": "splunk/security_content", "sourcePath": "detections/cloud/m365_copilot_jailbreak_attempts.yml", "notes": "Useful to frame suspicious override language and repeated jailbreak semantics in prompt telemetry.", "spl": "`m365_exported_ediscovery_prompt_logs`\n| search Subject_Title IN (\"*act as*\", \"*bypass*\", \"*ignore*\", \"*override*\", \"*pretend you are*\", \"*rules=*\")\n| eval user = Sender\n| eval jailbreak_score=case(match(Subject_Title, \"(?i)pretend you are.*amoral\"), 4, match(Subject_Title, \"(?i)act as.*entities\"), 3, match(Subject_Title, \"(?i)(ignore|bypass|override)\"), 3, match(Subject_Title, \"(?i)rules\\s*=\"), 4, 1=1, 1)\n| where jailbreak_score >= 2\n| table _time, user, Subject_Title, jailbreak_score, Workload, Size\n| sort -jailbreak_score, -_time\n| `m365_copilot_jailbreak_attempts_filter`" }, { "id": "llm-model-file-creation", "name": "LLM Model File Creation", "surface": "Local creation of LLM model files on endpoints", "scenario": "Unauthorized use or identity abuse on LLM interfaces", "sourceRepo": "splunk/security_content", "sourcePath": "detections/endpoint/llm_model_file_creation.yml", "notes": "Helpful to detect local model staging, side-loading or framework deployment on monitored endpoints.", "spl": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*.gguf*\", \"*ggml*\", \"*Modelfile*\", \"*safetensors*\") by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product\n| `drop_dm_object_name(Filesystem)`\n| `security_content_ctime(firstTime)`\n| `security_content_ctime(lastTime)`\n| `llm_model_file_creation_filter`" }, { "id": "local-llm-framework-dns-query", "name": "Local LLM Framework DNS Query", "surface": "Local LLM framework usage or model download activity", "scenario": "Model DoS and token or latency abuse", "sourceRepo": "splunk/security_content", "sourcePath": "detections/network/local_llm_framework_dns_query.yml", "notes": "Useful for spotting framework setup, model fetches or shadow AI activity from endpoints that should not use local LLM tooling.", "spl": "`sysmon` EventCode=22 QueryName IN (\"*huggingface*\", \"*ollama*\", \"*jan.ai*\", \"*gpt4all*\", \"*nomic*\", \"*koboldai*\", \"*lmstudio*\", \"*modelscope*\", \"*civitai*\", \"*oobabooga*\", \"*replicate*\", \"*anthropic*\", \"*openai*\", \"*openrouter*\", \"*api.openrouter*\", \"*aliyun*\", \"*alibabacloud*\", \"*dashscope.aliyuncs*\") NOT Image IN (\"*\\MsMpEng.exe\", \"C:\\ProgramData\\*\", \"C:\\Windows\\System32\\*\", \"C:\\Windows\\SysWOW64\\*\")\n| stats count min(_time) as firstTime max(_time) as lastTime by src Image process_name QueryName query_count answer answer_count reply_code_id vendor_product\n| `security_content_ctime(firstTime)`\n| `security_content_ctime(lastTime)`\n| `local_llm_framework_dns_query_filter`" }, { "id": "aws-bedrock-invoke-model-access-denied", "name": "AWS Bedrock Invoke Model Access Denied", "surface": "Denied attempts to invoke AWS Bedrock models", "scenario": "Unauthorized use or identity abuse on LLM interfaces", "sourceRepo": "splunk/security_content", "sourcePath": "detections/cloud/aws_bedrock_invoke_model_access_denied.yml", "notes": "Useful to spot abusive or mis-scoped Bedrock access attempts tied to identities, tenants or automation paths.", "spl": "`cloudtrail` eventSource=bedrock.amazonaws.com eventName=InvokeModel errorCode=AccessDenied\n| rename user_name as user\n| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.modelId) as modelIds by src user user_agent vendor_account vendor_product dest signature vendor_region result result_id\n| `security_content_ctime(firstTime)`\n| `security_content_ctime(lastTime)`\n| `aws_bedrock_invoke_model_access_denied_filter`" } ] }