MITRE ATLAS AI Threat Detection for Splunk app icon

MITRE ATLAS AI Threat Detection for Splunk

10 free MITRE ATLAS detection rules for AI/LLM threats. Guided setup with auto-discovery and platform-specific configuration for 12 LLM providers. Detects prompt injection, jailbreak, exfiltration, training data poisoning, model reconnaissance, and more.

Built by
splunk product badge
screenshot
screenshot
screenshot
screenshot
screenshot
Latest Version 1.0.0
March 5, 2026
Compatibility
Splunk Enterprise, Splunk Cloud
Platform Version: 10.2, 10.1, 10.0, 9.4, 9.3, 9.2, 9.1, 9.0, 8.2, 8.1, 8.0
Rating

0

(0)

Log in to rate this app
Support
MITRE ATLAS AI Threat Detection for Splunk support icon
Developer Supported app
Ranking

#37

in Artificial Intelligence
MITRE ATLAS is the adversarial threat matrix for AI/ML systems — the AI equivalent of MITRE ATT&CK. As organizations deploy LLMs, RAG pipelines, and ML APIs into production, they create an attack surface that most Splunk deployments have zero detection coverage for. This app provides 10 detection rules for AI and LLM threats, mapped to specific MITRE ATLAS technique IDs. Each rule is a Splunk saved search that monitors your AI/LLM logs for known attack patterns including prompt injection, jailbreak attempts, data exfiltration via inference APIs, training data poisoning, model reconnaissance, and AI abuse. The app includes a guided Setup dashboard that auto-discovers AI/LLM data in your environment, validates required fields, and shows which rules your data supports. A Configuration Guide provides platform-specific instructions for 12 LLM providers including LiteLLM, Azure OpenAI, AWS Bedrock, OpenAI, GCP Vertex AI, Kong AI Gateway, Portkey, Helicone, Cloudflare AI Gateway, Anthropic, self-hosted models (Ollama, vLLM, TGI), and custom API gateways. Rules are organized into two tiers: Tier 1 (Operational) — works with standard telemetry: token counts, API call volumes, storage access logs. Available from most platforms with default logging. Tier 2 (Content Inspection) — requires actual prompt/response text in log events. Requires explicit opt-in on all major platforms. The Configuration Guide explains how to enable this for each provider. Detection Coverage: - AML.T0051.000 Direct Prompt Injection (Tier 2) - AML.T0051.001 Indirect Prompt Injection via Retrieved Content (Tier 2) - AML.T0054 LLM Jailbreak (Tier 2) - AML.T0024 Exfiltration via ML Inference API (Tier 1) - AML.T0020 Training Data Poisoning (Tier 1) - AML.T0047 AI-Enabled Bulk Content Generation (Tier 1) - AML.T0048 External Harms Safety Flag (Tier 1) - AML.T0012 Valid Account Abuse on AI Platform (Tier 1) - AML.T0014 AI Model Reconnaissance (Tier 2) - AML.T0007 AI Artifact Discovery (Tier 1) All rules ship disabled by default. No Python scripts, no external dependencies — pure SPL and CSV lookups. Detection results are written to the summary index for fast dashboard rendering. Built by a Splunk Enterprise Architect with 10+ years of hands-on experience. This app is a standalone community release from GIC Engineering Consultants.

Categories

Artificial Intelligence, Security, Fraud & Compliance

Created By

Marcus House

Type

app

Downloads

3

Licensing

Splunk End User License for Third Party Content(Opens new window)

Splunk Answers

Ask a question about this app listing(Opens new window)

Resources

Log in to report this app listing