← Back to Explore
splunk_escuAnomaly
Ollama Possible Model Exfiltration Data Leakage
Detects data leakage and exfiltration attempts targeting Ollama model metadata and configuration endpoints. Adversaries repeatedly query /api/show, /api/tags, and /api/v1/models to systematically extract sensitive model information including architecture details, fine-tuning parameters, system paths, Modelfile configurations, and proprietary customizations. Multiple inspection attempts within a 15-minute window indicate automated exfiltration of valuable intellectual property such as custom model configurations, system prompts, and internal model specifications. This activity represents unauthorized data disclosure that could enable competitive intelligence gathering, model replication, or preparation for advanced attacks against the AI infrastructure.
MITRE ATT&CK
Detection Query
`ollama_server` | rex field=_raw "\|\s+(?<status_code>\d+)\s+\|\s+(?<response_time>[\d\.]+)s\s+\|\s+(?<src_ip>[\:\da-f\.]+)\s+\|\s+(?<http_method>\w+)\s+\"(?<uri_path>[^\"]+)\"" | eval src=src_ip | eval dest=uri_path | where response_time > 55 | bin _time span=15m | stats count, avg(response_time) as avg_response_time, max(response_time) as max_response_time by _time, src, dest, uri_path | eval avg_response_time=round(avg_response_time, 2) | eval max_response_time=round(max_response_time, 2) | eval severity=case( avg_response_time > 50, "high", avg_response_time > 40, "medium", 1=1, "low" ) | eval attack_type="Potential Data Exfiltration" | sort -_time | stats count by _time, src, uri_path, avg_response_time, max_response_time, severity, attack_type | `ollama_possible_model_exfiltration_data_leakage_filter`Author
Rod Soto
Created
2026-03-10
Data Sources
Ollama Server
References
Tags
Suspicious Ollama Activities
Raw Content
name: Ollama Possible Model Exfiltration Data Leakage
id: c9fd1a54-0eab-4470-8970-d5fcc3c740fb
version: 2
date: '2026-03-10'
author: Rod Soto
status: experimental
type: Anomaly
description: Detects data leakage and exfiltration attempts targeting Ollama model metadata and configuration endpoints. Adversaries repeatedly query /api/show, /api/tags, and /api/v1/models to systematically extract sensitive model information including architecture details, fine-tuning parameters, system paths, Modelfile configurations, and proprietary customizations. Multiple inspection attempts within a 15-minute window indicate automated exfiltration of valuable intellectual property such as custom model configurations, system prompts, and internal model specifications. This activity represents unauthorized data disclosure that could enable competitive intelligence gathering, model replication, or preparation for advanced attacks against the AI infrastructure.
data_source:
- Ollama Server
search: '`ollama_server` | rex field=_raw "\|\s+(?<status_code>\d+)\s+\|\s+(?<response_time>[\d\.]+)s\s+\|\s+(?<src_ip>[\:\da-f\.]+)\s+\|\s+(?<http_method>\w+)\s+\"(?<uri_path>[^\"]+)\"" | eval src=src_ip | eval dest=uri_path | where response_time > 55 | bin _time span=15m | stats count, avg(response_time) as avg_response_time, max(response_time) as max_response_time by _time, src, dest, uri_path | eval avg_response_time=round(avg_response_time, 2) | eval max_response_time=round(max_response_time, 2) | eval severity=case( avg_response_time > 50, "high", avg_response_time > 40, "medium", 1=1, "low" ) | eval attack_type="Potential Data Exfiltration" | sort -_time | stats count by _time, src, uri_path, avg_response_time, max_response_time, severity, attack_type | `ollama_possible_model_exfiltration_data_leakage_filter`'
how_to_implement: 'Ingest Ollama logs via Splunk TA-ollama add-on by configuring file monitoring inputs pointed to your Ollama server log directories (sourcetype: ollama:server), or enable HTTP Event Collector (HEC) for real-time API telemetry and prompt analytics (sourcetypes: ollama:api, ollama:prompts). CIM compatibility using the Web datamodel for standardized security detections.'
known_false_positives: Legitimate administrative activities such as model inventory management, monitoring dashboards polling model status, automated health checks verifying model availability, CI/CD pipelines validating deployments, development tools inspecting model configurations, or users browsing available models through management interfaces may trigger this detection during normal operations. Adjust the threshold based on your environment's baseline activity.
references:
- https://github.com/rosplk/ta-ollama
drilldown_searches:
- name: View the detection results for - "$src$"
search: '%original_detection_search% | search "$src = "$src$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
rba:
message: Potential model data exfiltration detected from $src$ with $avg_response_time$ attempts across endpoints, indicating systematic extraction of sensitive model configurations, architecture details, and proprietary customizations that may constitute intellectual property theft.
risk_objects:
- field: src
type: system
score: 20
threat_objects: []
tags:
analytic_story:
- Suspicious Ollama Activities
asset_type: Web Application
mitre_attack_id:
- T1048
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/ollama/server.log
sourcetype: ollama:server
source: server.log