EXPLORE
← Back to Explore
splunk_escuAnomaly

AWS Bedrock Claude Cross Region Possible Inference Abuse

This detection identifies potential cross-region inference abuse in AWS Bedrock Claude models. Cross-region inference abuse may indicate attempts to bypass regional restrictions, exfiltrate data, or perform unauthorized actions across different AWS regions.

Detection Query

`aws_bedrock_claude`
| rename "identity.arn" AS user_arn
| rename "input.inputTokenCount" AS input_tokens
| rename "output.outputTokenCount" AS output_tokens
| rex field=user_arn "assumed-role/[^/]+/(?<user>[^\"]+)$"
| rex field="input.inputBodyJson.metadata.user_id" "(?<session_user>user_[^_]+.*)"
| eval input_tokens=tonumber(input_tokens)
| eval output_tokens=tonumber(output_tokens)
| eval token_ratio=round(output_tokens / max(input_tokens,1), 2)
| eval model_short=replace(modelId,"^.*/","")
| eval mismatch_detail=region." -> ".inferenceRegion
| where isnotnull(user_arn) AND len(user_arn)>10
| where isnotnull(session_user)
| where region!=inferenceRegion
| where input_tokens>=2000
| table _time, user, user_arn, session_user, model_short, input_tokens, output_tokens, token_ratio, mismatch_detail, operation, host
| sort - input_tokens
| `aws_bedrock_claude_cross_region_possible_inference_abuse_filter`

Author

Rod Soto

Data Sources

AWS Bedrock Claude
Raw Content
name: AWS Bedrock Claude Cross Region Possible Inference Abuse
id: e3d3f27d-b08e-415a-9811-8f72a0905ca6
version: 1
creation_date: '2026-07-06'
modification_date: '2026-07-06'
author: Rod Soto
status: production
type: Anomaly
data_source:
    - AWS Bedrock Claude
category: application
description: This detection identifies potential cross-region inference abuse in AWS Bedrock Claude models. Cross-region inference abuse may indicate attempts to bypass regional restrictions, exfiltrate data, or perform unauthorized actions across different AWS regions.
search: |-
    `aws_bedrock_claude`
    | rename "identity.arn" AS user_arn
    | rename "input.inputTokenCount" AS input_tokens
    | rename "output.outputTokenCount" AS output_tokens
    | rex field=user_arn "assumed-role/[^/]+/(?<user>[^\"]+)$"
    | rex field="input.inputBodyJson.metadata.user_id" "(?<session_user>user_[^_]+.*)"
    | eval input_tokens=tonumber(input_tokens)
    | eval output_tokens=tonumber(output_tokens)
    | eval token_ratio=round(output_tokens / max(input_tokens,1), 2)
    | eval model_short=replace(modelId,"^.*/","")
    | eval mismatch_detail=region." -> ".inferenceRegion
    | where isnotnull(user_arn) AND len(user_arn)>10
    | where isnotnull(session_user)
    | where region!=inferenceRegion
    | where input_tokens>=2000
    | table _time, user, user_arn, session_user, model_short, input_tokens, output_tokens, token_ratio, mismatch_detail, operation, host
    | sort - input_tokens
    | `aws_bedrock_claude_cross_region_possible_inference_abuse_filter`
how_to_implement: You must install and configure the Splunk Add-on for AWS (https://splunkbase.splunk.com/app/1876). Enable Amazon Bedrock model invocation logging in AWS so that Claude request/response payloads are delivered to S3 and/or CloudWatch Logs (see https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html for setup steps), then ingest those logs into Splunk via the AWS TA. Configure the `aws_bedrock_claude` macro to point to the index and sourcetype (`json_no_timestamp`) where these logs land.
known_false_positives: False positives may arise from legitimate use cases where users are accessing AWS Bedrock Claude models across different regions for valid reasons, such as multi-region deployments, testing, or development purposes. It is important to review the context of the detected events to determine if they represent actual abuse or benign usage.
references:
    - https://aws.amazon.com/blogs/apn/unlocking-the-power-of-splunk-with-amazon-bedrock-an-agentic-ai-approach-to-build-customized-splunk-assistants-using-bedrock-agents/
    - https://help.splunk.com/en/splunk-observability-cloud/observability-for-ai/splunk-ai-infrastructure-monitoring/set-up-ai-infrastructure-monitoring/amazon-bedrock
    - https://research.splunk.com/stories/aws_bedrock_security/
    - https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search user="$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
intermediate_findings:
    entities:
        - field: user
          type: user
          score: 20
          message: Cross-region inference abuse detected from $user$ ($session_user$) using model $model_short$ with region mismatch $mismatch_detail$ and $input_tokens$ input tokens on $host$.
analytic_story:
    - Suspicious AWS Bedrock Claude Activities
asset_type: Web Application
mitre_attack_id:
    - T1599
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
security_domain: endpoint
tests:
    - name: True Positive Test
      test_type: unit
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/aws_bedrock_claude/aws_bedrock_claude_cross_region_possible_inference_abuse.ndjson
          sourcetype: json_no_timestamp
          source: http:bulkawsbedrock