| ID | Technique | Tactic |
|---|---|---|
| T1055 | Process Injection | Privilege Escalation |
Detection: AWS Bedrock Claude excessive use of tokens
Description
Detects identities generating anomalously large model responses relative to their own historical baseline. For each identity, computes the average, maximum, and standard deviation of output token counts across all invocations, then flags any identity whose single largest response exceeds two standard deviations above their own mean. A statistically significant output spike from a single identity may indicate bulk data extraction, successful prompt injection producing verbose output, or a runaway agentic loop hitting context limits.
Search
1`aws_bedrock_claude`
2
3| spath output="out_tokens" path="output.outputBodyJson.usage.output_tokens"
4
5| eval user = replace('identity.arn', ".*/", "")
6
7| stats count AS invocations,
8 avg(out_tokens) AS avg_out,
9 max(out_tokens) AS max_out,
10 stdev(out_tokens) AS stdev_out
11 BY user, identity.arn
12
13| eval stdev_out = coalesce(stdev_out, 0)
14
15| eval threshold = avg_out + (2 * stdev_out)
16
17| where max_out > threshold
18
19| table
20 user,
21 identity.arn,
22 invocations,
23 avg_out,
24 max_out,
25 stdev_out,
26 threshold
27
28| sort -max_out
29
30| `aws_bedrock_claude_excessive_use_of_tokens_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| AWS Bedrock Claude | 'json_no_timestamp' |
'aws_bedrock' |
Macros Used
| Name | Value |
|---|---|
| aws_bedrock_claude | (sourcetype="json_no_timestamp") |
| aws_bedrock_claude_excessive_use_of_tokens_filter | search * |
aws_bedrock_claude_excessive_use_of_tokens_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Finding (Notable) | No |
| Creates Intermediate Finding (Risk Event) | Yes |
Implementation
You must install and configure the Splunk Add-on for AWS (https://splunkbase.splunk.com/app/1876). Enable Amazon Bedrock model invocation logging in AWS so that Claude request/response payloads are delivered to S3 and/or CloudWatch Logs (see https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html for setup steps), then ingest those logs into Splunk via the AWS TA. Configure the aws_bedrock_claude macro to point to the index and sourcetype (json_no_timestamp) where these logs land.
Known False Positives
This detection may produce false positives for identities with low invocation history, legitimate large document summarization tasks, or automated pipeline sessions with naturally variable output token counts.
Associated Analytic Story
Intermediate Findings
| Message | Entity Field | Entity Type | Risk Score |
|---|---|---|---|
| Identity $user$ generated anomalously high output tokens in AWS Bedrock Claude with max output $max_out$ above threshold $threshold$. | user | user | 20 |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | http:bulkawsbedrock |
json_no_timestamp |
| Integration | ✅ Passing | Dataset | http:bulkawsbedrock |
json_no_timestamp |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub |
Version: 1