security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
ba16e27edb87b8613dd7ddccabe3a7dc77a2bbdf
sigma-rules/hunting/llm
T
History
Terrance DeJesus 9181c00586 [New Hunt] Add Initial Okta Hunting Queries (#4064) 
* adding new Okta hunting queries

* query format changes

* adding docs

* added query for mfa bombing

* adding remainder hunting queries

* adjusted incorrect hunt

* updated queries

* updated queries based on Samir's feedback

* removed failed login eval

* updated docs
2024-09-16 14:36:44 -04:00
..
docs
[New Hunt] Add Initial Okta Hunting Queries (#4064)
2024-09-16 14:36:44 -04:00
queries
[New Rule] AWS Bedrock Detections (#4072)
2024-09-13 19:46:47 +05:30
README.md
[FR] Add Hunt Structure and Initial LLM Queries 🚀 (#3637)
2024-05-03 09:33:06 -05:00

README.md

LLM Threat Hunting Queries

Welcome to the LLM subfolder within the hunting directory of the detection-rules repository. This specialized section is dedicated to threat hunting queries designed for Large Language Model (LLM) applications, targeting the unique security challenges these systems face.

Emphasis on OWASP Top 10 for LLMs

Our queries are developed with a keen awareness of the OWASP Top 10 risks for Large Language Model Applications. This crucial resource outlines the predominant security risks for LLMs, guiding our efforts in crafting queries that proactively address these vulnerabilities and ensure comprehensive threat mitigation.

Emphasis on MITRE ATLAS

The ATLAS Matrix covers the progression of tactics used in attacks with ML techniques belonging to different tactics.

  • Reconnaissance
  • Resource Development
  • Initial Access
  • ML Model Access
  • Execution
  • Persistence
  • Privilege Escalation
  • Defense Evasion
  • Credential Access
  • Discovery
  • Collection
  • ML Attack Staging
  • Exfiltration
  • Impact

Scope of Threats and Protections

The queries in this folder are tailored to monitor and protect against a broad spectrum of threats to LLMs:

  • Sensitive Content Refusal: Monitors LLM interactions to ensure compliance with ethical standards, particularly in refusing to process sensitive topics.
  • Denial of Service (DoS) and Resource Exhaustion: Aims to prevent disruptions in LLM operations by detecting patterns indicative of DoS attacks or resource exhaustion scenarios.
  • Latency Anomalies: Tracks processing delays that could signal underlying performance issues or security threats, maintaining operational efficiency and safeguarding against potential attacks like DDoS.

Benefits of These Queries

These queries assist organizations in:

  • Detecting and mitigating misuse or attacks that threaten data integrity or disrupt services.
  • Ensuring that LLMs adhere strictly to operational and ethical boundaries through continuous monitoring.
  • Maintaining high performance and reliability of LLMs by preemptively identifying and resolving factors that cause inefficiencies.

For more details, read our blog on LLM Detections.

Reference in New Issue View Git Blame Copy Permalink