← Back to Explore
splunk_escuAnomaly
AWS Bedrock Claude excessive use of tokens
Detects identities generating anomalously large model responses relative to their own historical baseline. For each identity, computes the average, maximum, and standard deviation of output token counts across all invocations, then flags any identity whose single largest response exceeds two standard deviations above their own mean. A statistically significant output spike from a single identity may indicate bulk data extraction, successful prompt injection producing verbose output, or a runaway agentic loop hitting context limits.
Detection Query
`aws_bedrock_claude`
| spath output="out_tokens" path="output.outputBodyJson.usage.output_tokens"
| eval user = replace('identity.arn', ".*/", "")
| stats count AS invocations,
avg(out_tokens) AS avg_out,
max(out_tokens) AS max_out,
stdev(out_tokens) AS stdev_out
BY user, identity.arn
| eval stdev_out = coalesce(stdev_out, 0)
| eval threshold = avg_out + (2 * stdev_out)
| where max_out > threshold
| table
user,
identity.arn,
invocations,
avg_out,
max_out,
stdev_out,
threshold
| sort -max_out
| `aws_bedrock_claude_excessive_use_of_tokens_filter`Author
Rod Soto
Data Sources
AWS Bedrock Claude
References
- https://aws.amazon.com/blogs/apn/unlocking-the-power-of-splunk-with-amazon-bedrock-an-agentic-ai-approach-to-build-customized-splunk-assistants-using-bedrock-agents/
- https://help.splunk.com/en/splunk-observability-cloud/observability-for-ai/splunk-ai-infrastructure-monitoring/set-up-ai-infrastructure-monitoring/amazon-bedrock
- https://research.splunk.com/stories/aws_bedrock_security/
- https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html
Raw Content
name: AWS Bedrock Claude excessive use of tokens
id: a839a6f7-aaac-438b-9d99-be0b49481e17
version: 1
creation_date: '2026-07-06'
modification_date: '2026-07-06'
author: Rod Soto
status: production
type: Anomaly
description: Detects identities generating anomalously large model responses relative to their own historical baseline. For each identity, computes the average, maximum, and standard deviation of output token counts across all invocations, then flags any identity whose single largest response exceeds two standard deviations above their own mean. A statistically significant output spike from a single identity may indicate bulk data extraction, successful prompt injection producing verbose output, or a runaway agentic loop hitting context limits.
data_source:
- AWS Bedrock Claude
search: |-
`aws_bedrock_claude`
| spath output="out_tokens" path="output.outputBodyJson.usage.output_tokens"
| eval user = replace('identity.arn', ".*/", "")
| stats count AS invocations,
avg(out_tokens) AS avg_out,
max(out_tokens) AS max_out,
stdev(out_tokens) AS stdev_out
BY user, identity.arn
| eval stdev_out = coalesce(stdev_out, 0)
| eval threshold = avg_out + (2 * stdev_out)
| where max_out > threshold
| table
user,
identity.arn,
invocations,
avg_out,
max_out,
stdev_out,
threshold
| sort -max_out
| `aws_bedrock_claude_excessive_use_of_tokens_filter`
how_to_implement: You must install and configure the Splunk Add-on for AWS (https://splunkbase.splunk.com/app/1876). Enable Amazon Bedrock model invocation logging in AWS so that Claude request/response payloads are delivered to S3 and/or CloudWatch Logs (see https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html for setup steps), then ingest those logs into Splunk via the AWS TA. Configure the `aws_bedrock_claude` macro to point to the index and sourcetype (`json_no_timestamp`) where these logs land.
known_false_positives: This detection may produce false positives for identities with low invocation history, legitimate large document summarization tasks, or automated pipeline sessions with naturally variable output token counts.
references:
- https://aws.amazon.com/blogs/apn/unlocking-the-power-of-splunk-with-amazon-bedrock-an-agentic-ai-approach-to-build-customized-splunk-assistants-using-bedrock-agents/
- https://help.splunk.com/en/splunk-observability-cloud/observability-for-ai/splunk-ai-infrastructure-monitoring/set-up-ai-infrastructure-monitoring/amazon-bedrock
- https://research.splunk.com/stories/aws_bedrock_security/
- https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html
drilldown_searches:
- name: View the detection results for - "$user$"
search: '%original_detection_search% | search user="$user$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
intermediate_findings:
entities:
- field: user
type: user
score: 20
message: Identity $user$ generated anomalously high output tokens in AWS Bedrock Claude with max output $max_out$ above threshold $threshold$.
analytic_story:
- Suspicious AWS Bedrock Claude Activities
asset_type: Web Application
mitre_attack_id:
- T1055
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: application
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/aws_bedrock_claude/aws_bedrock_claude_excessive_use_of_tokens.ndjson
sourcetype: json_no_timestamp
source: http:bulkawsbedrock
test_type: unit