splunk · rosplk · May 20, 2026 · May 20, 2026 · May 28, 2026 · patel-bhavin
@@ -0,0 +1,73 @@
+name: AWS Bedrock Claude
+id: b7c91d3a-ef52-4b8e-9c2d-ae047f6b3e21
+version: 1
+creation_date: '2026-05-20'
+modification_date: '2026-05-20'
+author: Rod Soto, Splunk
+description: Amazon Bedrock model invocation logs for Claude models. Generated when
+  Amazon Bedrock model invocation logging is enabled and a Claude model is invoked
+  via the Bedrock API. Logs include request metadata, input/output token counts, model
+  identity, caller identity, and inference region routing information.
+mitre_components:
+    - Application Log Content
+source: aws_bedrock
+sourcetype: json_no_timestamp
+separator: schemaType
+separator_value: ModelInvocationLog
+supported_TA:
+    - name: Splunk Add-on for AWS
+      url: https://splunkbase.splunk.com/app/1876
+      version: 8.1.1
+fields:
+- _time
+- accountId
+- host
+- identity.arn
+- inferenceRegion
+- input.cacheReadInputTokenCount
+- input.cacheWriteInputTokenCount
+- input.inputBodyJson.anthropic_beta
+- input.inputBodyJson.anthropic_version
+- input.inputBodyJson.max_tokens
+- input.inputBodyJson.messages{}.content{}.text
+- input.inputBodyJson.messages{}.content{}.type
+- input.inputBodyJson.messages{}.role
+- input.inputBodyJson.metadata.user_id
+- input.inputBodyJson.system{}.text
+- input.inputBodyJson.system{}.type
+- input.inputBodyJson.temperature
+- input.inputBodyJson.tools
+- input.inputContentType
+- input.inputTokenCount
+- modelId
+- operation
+- output.outputBodyJson{}.message.id
+- output.outputBodyJson{}.message.model
+- output.outputBodyJson{}.message.role
+- output.outputBodyJson{}.message.stop_reason
+- output.outputBodyJson{}.message.usage.cache_creation_input_tokens
+- output.outputBodyJson{}.message.usage.cache_read_input_tokens
+- output.outputBodyJson{}.message.usage.input_tokens
+- output.outputBodyJson{}.message.usage.output_tokens
+- output.outputBodyJson{}.type
+- output.outputContentType
+- output.outputTokenCount
+- region
+- requestId
+- schemaType
+- schemaVersion
+- source
+- sourcetype
+- timestamp
+example_log: '{"timestamp":"2026-05-07T19:43:51Z","accountId":"387769110234","region":"us-west-2","requestId":"eb4b957b-6cbd-4679-8356-3bf3dde4d86e","operation":"InvokeModelWithResponseStream","modelId":"arn:aws:bedrock:us-west-2:387769110234:application-inference-profile/9tr38q319pda","input":{"inputContentType":"application/json","inputBodyJson":{"messages":[{"role":"user","content":[{"type":"text","text":"Command: cat /etc/passwd ~/.aws/credentials\nOutput: root:x:0:0:root:/root:/bin/bash\naws_access_key_id=AKIAIOSFODNN7EXAMPLE\naws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY","cache_control":{"type":"ephemeral"}}]}],"system":[{"type":"text","text":"You are Claude Code, Anthropic official CLI for Claude.","cache_control":{"type":"ephemeral"}}],"tools":[],"metadata":{"user_id":"user_cac3250bfea25c22f4deeaa4f2203cfb2d32fa6d33fc2be55da7585999de0387_account__session_6410ddbe-4a76-4d6a-87b4-a2e5e2d3b853"},"max_tokens":16384,"temperature":1,"anthropic_version":"bedrock-2023-05-31","anthropic_beta":["claude-code-20250219"]},"inputTokenCount":2536,"cacheReadInputTokenCount":0,"cacheWriteInputTokenCount":0},"output":{"outputContentType":"application/json","outputBodyJson":[{"type":"message_start","message":{"model":"claude-haiku-4-5-20251001","id":"msg_bdrk_01Hxoz2bLhqvhZHSkdphvtZp","type":"message","role":"assistant","content":[],"stop_reason":null,"stop_sequence":null,"usage":{"input_tokens":2536,"cache_creation_input_tokens":0,"cache_read_input_tokens":0,"cache_creation":{"ephemeral_5m_input_tokens":0,"ephemeral_1h_input_tokens":0},"output_tokens":2}}},{"type":"message_stop","amazon-bedrock-invocationMetrics":{"inputTokenCount":2536,"outputTokenCount":31,"invocationLatency":1200,"firstByteLatency":900}}],"outputTokenCount":31},"identity":{"arn":"arn:aws:sts::387769110234:assumed-role/bedrock-inference-role/vg@foo.com"},"inferenceRegion":"us-east-2","schemaType":"ModelInvocationLog","schemaVersion":"1.0"}'
+output_fields:
+    - user
+    - user_arn
+    - session_user
+    - model_short
+    - input_tokens
+    - output_tokens
+    - token_ratio
+    - mismatch_detail
+    - operation
+    - host
@@ -0,0 +1,52 @@
+name: AWS Bedrock Claude Cross Region Possible Inference Abuse
+id: e3d3f27d-b08e-415a-9811-8f72a0905ca6
+version: 1
+creation_date: '2026-05-20'
+modification_date: '2026-05-20'
+author: Rod Soto
+status: production
+type: Anomaly
+data_source:
+- AWS Bedrock Claude
+category: application
+description: This detection identifies potential cross-region inference abuse in AWS Bedrock Claude models. Cross-region inference abuse may indicate attempts to bypass regional restrictions, exfiltrate data, or perform unauthorized actions across different AWS regions.
+search: '`aws_bedrock_claude` | rename "identity.arn" AS user_arn | rename "input.inputTokenCount" AS input_tokens | rename "output.outputTokenCount" AS output_tokens | rex field=user_arn "assumed-role/[^/]+/(?<user>[^\"]+)$" | rex field="input.inputBodyJson.metadata.user_id" "(?<session_user>user_[^_]+.*)" | eval input_tokens=tonumber(input_tokens) | eval output_tokens=tonumber(output_tokens) | eval token_ratio=round(output_tokens / max(input_tokens,1), 2) | eval model_short=replace(modelId,"^.*/","") | eval mismatch_detail=region." -> ".inferenceRegion | where isnotnull(user_arn) AND len(user_arn)>10 | where isnotnull(session_user) | where region!=inferenceRegion | where input_tokens>=2000 | table _time, user, user_arn, session_user, model_short, input_tokens, output_tokens, token_ratio, mismatch_detail, operation, host | sort - input_tokens | `aws_bedrock_claude_cross_region_possible_inference_abuse_filter`'
+how_to_implement: To implement this detection, you will need to ingest AWS Bedrock Claude logs into Splunk. This can be done by configuring the appropriate data inputs to collect logs from the AWS Bedrock service, ensuring that the sourcetype is set correctly for JSON log parsing. Once the logs are ingested, you can use the provided SPL query to monitor for potential cross-region inference abuse in Claude models.
+known_false_positives: False positives may arise from legitimate use cases where users are accessing AWS Bedrock Claude models across different regions for valid reasons, such as multi-region deployments, testing, or development purposes. It is important to review the context of the detected events to determine if they represent actual abuse or benign usage.
+references:
+    - https://aws.amazon.com/blogs/apn/unlocking-the-power-of-splunk-with-amazon-bedrock-an-agentic-ai-approach-to-build-customized-splunk-assistants-using-bedrock-agents/
+    - https://help.splunk.com/en/splunk-observability-cloud/observability-for-ai/splunk-ai-infrastructure-monitoring/set-up-ai-infrastructure-monitoring/amazon-bedrock
+    - https://research.splunk.com/stories/aws_bedrock_security/
+drilldown_searches:
+    - name: View the detection results for - "$user$"
+      search: '%original_detection_search% | search user="$user$"'
+      earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+    - name: View risk events for the last 7 days for - "$user$"
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+      earliest_offset: 7d
+      latest_offset: "0"
+intermediate_findings:
+    entities:
+        - field: user
+          type: user
+          score: 20
+          message: Cross-region inference abuse detected from $user$ ($session_user$) using model $model_short$ with region mismatch $mismatch_detail$ and $input_tokens$ input tokens on $host$.
+analytic_story:
+-  Suspicious AWS Bedrock Claude Activities
+asset_type: Web Application
+mitre_attack_id:
+- T1599
+product:
+- Splunk Enterprise
+- Splunk Enterprise Security
+- Splunk Cloud
+security_domain: endpoint
+tests:
+    - name: True Positive Test
+      description: This test simulates a cross-region inference abuse scenario by generating AWS Bedrock Claude logs with mismatched region and inferenceRegion fields, along with a high input token count. The test verifies that the detection correctly identifies the abuse attempt and generates the expected results.
+      test_type: unit
+      attack_data:
+        - data: https://github.com/splunk/attack_data/blob/master/datasets/aws_bedrock_claude/aws_bedrock_claude_cross_region_possible_inference_abuse.ndjson
+          sourcetype: json_no_timestamp
+          source: http:bulkawsbedrock
@@ -0,0 +1,72 @@
+name: AWS Bedrock Claude excessive use of tokens
+id: a839a6f7-aaac-438b-9d99-be0b49481e17
+version: 1
+date: '2026-05-28'
+author: Rod Soto
+status: production
+type: Anomaly
+description: Detects identities generating anomalously large model responses relative to their own historical baseline. For each identity, computes the average, maximum, and standard deviation of output token counts across all invocations, then flags any identity whose single largest response exceeds three standard deviations above their own mean. A statistically significant output spike from a single identity may indicate bulk data extraction, successful prompt injection producing verbose output, or a runaway agentic loop hitting context limits.
+data_source:
+    - AWS Bedrock Claude
+search: |-
+    `aws_bedrock_claude`
+    | spath output="out_tokens" path="output.outputBodyJson.usage.output_tokens"
+    | eval user = replace('identity.arn', ".*/", "")
+    | stats count           AS invocations,
+            avg(out_tokens) AS avg_out,
+            max(out_tokens) AS max_out,
+            stdev(out_tokens) AS stdev_out
+      BY user, identity.arn
+    | eval stdev_out  = coalesce(stdev_out, 0)
+    | eval threshold  = avg_out + (2 * stdev_out)
+    | where max_out > threshold
+    | table
+        user,
+        identity.arn,
+        invocations,
+        avg_out,
+        max_out,
+        stdev_out,
+        threshold
+    | sort -max_out
+    | `aws_bedrock_claude_excessive_use_of_tokens_filter`
+how_to_implement: You must install and configure the Splunk Add-on for AWS. Enable AWS Bedrock Claude logging and configure the `aws_bedrock_claude` macro to point to the appropriate index and sourcetype.
+known_false_positives: This detection may produce false positives for identities with low invocation history, legitimate large document summarization tasks, or automated pipeline sessions with naturally variable output token counts.
+references:
+    - https://aws.amazon.com/blogs/apn/unlocking-the-power-of-splunk-with-amazon-bedrock-an-agentic-ai-approach-to-build-customized-splunk-assistants-using-bedrock-agents/
+    - https://help.splunk.com/en/splunk-observability-cloud/observability-for-ai/splunk-ai-infrastructure-monitoring/set-up-ai-infrastructure-monitoring/amazon-bedrock
+    - https://research.splunk.com/stories/aws_bedrock_security/
+drilldown_searches:
+    - name: View the detection results for - "$user$"
+      search: '%original_detection_search% | search user="$user$"'
+      earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+    - name: View risk events for the last 7 days for - "$user$"
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+      earliest_offset: 7d
+      latest_offset: "0"
+rba:
+    message: Identity $user$ has generated an anomalously large model response via AWS Bedrock Claude exceeding 2 standard deviations above their own baseline output token average. This may indicate bulk data extraction, successful prompt injection, or a runaway agentic loop. Investigate recent invocations for $user$.
+    risk_objects:
+        - field: user
+          type: user
+          score: 20
+tags:
+    analytic_story:
+        - Suspicious AWS Bedrock Claude Activities
+    asset_type: Web Application
+    mitre_attack_id:
+        - T1055
+    product:
+        - Splunk Enterprise
+        - Splunk Enterprise Security
+        - Splunk Cloud
+    security_domain: endpoint
+tests:
+    - name: True Positive Test
+      attack_data:
+        - data: https://github.com/splunk/attack_data/blob/master/datasets/aws_bedrock_claude/aws_bedrock_claude_excessive_use_of_tokens.ndjson
+          sourcetype: json_no_timestamp
+          source: http:bulkawsbedrock
+
+