Potential Abuse of Resources by High Token Count and Large Response Sizes

  1[metadata]
  2creation_date = "2024/05/04"
  3integration = ["aws_bedrock"]
  4maturity = "production"
  5updated_date = "2025/09/25"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects potential resource exhaustion or data breach attempts by monitoring for users who consistently generate high
 11input token counts, submit numerous requests, and receive large responses. This behavior could indicate an attempt to
 12overload the system or extract an unusually large amount of data, possibly revealing sensitive information or causing
 13service disruptions.
 14"""
 15false_positives = ["Authorized heavy usage of the system that is business justified and monitored."]
 16from = "now-60m"
 17interval = "10m"
 18language = "esql"
 19license = "Elastic License v2"
 20name = "Potential Abuse of Resources by High Token Count and Large Response Sizes"
 21note = """## Triage and analysis
 22
 23### Investigating Potential Abuse of Resources by High Token Count and Large Response Sizes
 24
 25Amazon Bedrock is AWS’s managed service that enables developers to build and scale generative AI applications using large foundation models (FMs) from top providers.
 26
 27Bedrock offers a variety of pretrained models from Amazon (such as the Titan series), as well as models from providers like Anthropic, Meta, Cohere, and AI21 Labs.
 28
 29#### Possible investigation steps
 30
 31- Identify the user account that used high prompt token counts and whether it should perform this kind of action.
 32- Investigate large response sizes and the number of requests made by the user account.
 33- Investigate other alerts associated with the user account during the past 48 hours.
 34- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?
 35- Examine the account's prompts and responses in the last 24 hours.
 36- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.
 37
 38### False positive analysis
 39
 40- Verify the user account that used high prompt and large response sizes, has a business justification for the heavy usage of the system.
 41
 42### Response and remediation
 43
 44- Initiate the incident response process based on the outcome of the triage.
 45- Disable or limit the account during the investigation and response.
 46- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
 47    - Identify the account role in the cloud environment.
 48    - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.
 49    - Identify any regulatory or legal ramifications related to this activity.
 50    - Identify potential resource exhaustion and impact on billing.
 51- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.
 52- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
 53- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 54"""
 55references = [
 56    "https://atlas.mitre.org/techniques/AML.T0051",
 57    "https://owasp.org/www-project-top-10-for-large-language-model-applications/",
 58    "https://www.elastic.co/security-labs/elastic-advances-llm-security",
 59]
 60risk_score = 47
 61rule_id = "b1773d05-f349-45fb-9850-287b8f92f02d"
 62setup = """## Setup
 63
 64This rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:
 65
 66https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html
 67"""
 68severity = "medium"
 69tags = [
 70    "Domain: LLM",
 71    "Data Source: AWS Bedrock",
 72    "Data Source: Amazon Web Services",
 73    "Data Source: AWS S3",
 74    "Use Case: Potential Overload",
 75    "Use Case: Resource Exhaustion",
 76    "Mitre Atlas: LLM04",
 77    "Resources: Investigation Guide",
 78]
 79timestamp_override = "event.ingested"
 80type = "esql"
 81
 82query = '''
 83from logs-aws_bedrock.invocation-*
 84
 85// keep token usage data
 86| keep
 87  user.id,
 88  gen_ai.usage.prompt_tokens,
 89  gen_ai.usage.completion_tokens
 90
 91// Aggregate usage metrics
 92| stats
 93    Esql.ml_usage_prompt_tokens_max = max(gen_ai.usage.prompt_tokens),
 94    Esql.ml_invocations_total_count = count(*),
 95    Esql.ml_usage_completion_tokens_avg = avg(gen_ai.usage.completion_tokens)
 96  by
 97    user.id
 98
 99// Filter for suspicious usage patterns
100| where
101  Esql.ml_usage_prompt_tokens_max > 5000
102  and Esql.ml_invocations_total_count > 10
103  and Esql.ml_usage_completion_tokens_avg > 500
104
105// Calculate a custom risk factor
106| eval Esql.ml_risk_score =
107    (Esql.ml_usage_prompt_tokens_max / 1000) *
108    Esql.ml_invocations_total_count *
109    (Esql.ml_usage_completion_tokens_avg / 500)
110
111// Filter on risk score
112| where Esql.ml_risk_score > 10
113
114// sort high risk users to top
115| sort Esql.ml_risk_score desc
116'''