
Summary
Detects identities generating anomalously large output from AWS Bedrock Claude relative to their historical baseline. For each identity, the rule computes the mean, maximum, and standard deviation of output token counts across all invocations, then flags any identity whose largest observed output exceeds mean + 2*stdev. This highlights potential bulk data extraction, verbose outputs from prompt injections, or runaway agentic loops hitting model context limits. The alert surfaces the identity (user and ARN), number of invocations, mean tokens, max tokens, standard deviation, and the computed threshold to aid investigation. Implementation relies on Bedrock Claude logs ingested into Splunk via the AWS Bedrock integration and uses a dedicated macro (aws_bedrock_claude) to search the index/sourcetype (json_no_timestamp). Known false positives include identities with very few invocations, legitimate large-document summarization tasks, or automated pipelines with naturally variable outputs.
Categories
- Cloud
- Application
Data Sources
- Web Credential
- Cloud Service
- Cloud Storage
- Internet Scan
- Application Log
- Cloud Service
- Cloud Storage
- Internet Scan
- Application Log
- Cloud Service
- Cloud Storage
- Internet Scan
- Application Log
ATT&CK Techniques
- T1055
Created: 2026-07-07