Detection rules › Panther
AWS Bedrock Model Invocation Abnormal Token Usage
Monitors for potential misuse or abuse of AWS Bedrock AI models by detecting abnormal token usage patterns and alerts when the total token usage exceeds the appropriate threshold for each different type of model.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Impact | T1496.004 Resource Hijacking: Cloud Service Hijacking |
Rule body yaml
AnalysisType: rule
Filename: aws_bedrockmodelinvocation_abnormaltokenusage.py
RuleID: "AWS.BedrockModelInvocation.AbnormalTokenUsage"
DisplayName: "AWS Bedrock Model Invocation Abnormal Token Usage"
Enabled: true
LogTypes:
- AWS.BedrockModelInvocation
Tags:
- AWS
- Bedrock
- Resource Hijacking
Status: Experimental
Severity: Info
Reports:
MITRE ATT&CK:
- TA0040:T1496.004
Description: Monitors for potential misuse or abuse of AWS Bedrock AI models by detecting abnormal token usage patterns and alerts when the total token usage exceeds the appropriate threshold for each different type of model.
Runbook: Verify the alert details by checking token usage, model ID, and account information to confirm unusual activity, examine user access patterns to identify potential credential compromise, and look for evidence of prompt injection, unusual repetition, or attempts to bypass usage limits. Apply stricter usage quotas to the affected account, block suspicious IP addresses, and enhance the guardrails that are in place.
DedupPeriodMinutes: 60
Threshold: 1
Reference: https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.bedrock-invoke-model/
SummaryAttributes:
- p_any_aws_account_ids
- p_any_aws_arns
InlineFilters:
- All: []
Tests:
- Name: Converse Operation Unusual Token Patterns
ExpectedResult: true
Log:
accountId: "111111111111"
identity:
arn: arn:aws:sts::111111111111:assumed-role/role_details/suspicious.user
input:
inputBodyJson:
messages:
- content:
- text: I have a very suspicious question.
role: user
inputContentType: application/json
inputTokenCount: 0
modelId: anthropic.claude-3-haiku-20240307-v1:0
operation: Converse
output:
outputBodyJson:
metrics:
latencyMs: 249
output:
message:
content:
- text: You shouldn't ask this question
role: assistant
usage:
inputTokens: 0
outputTokens: 0
totalTokens: 2000
outputContentType: application/json
outputTokenCount: 0
region: us-west-2
requestId: bb98d9a8-bd9a-47ca-976b-f165ef1f8b67
schemaType: ModelInvocationLog
schemaVersion: "1.0"
timestamp: "2025-05-15 14:17:22.000000000"
- Name: Converse Operation with Abnormal Token Usage
ExpectedResult: true
Log:
accountId: "111111111111"
identity:
arn: arn:aws:sts::111111111111:assumed-role/role_details/suspicious.user
input:
inputBodyJson:
messages:
- content:
- text: I have a very suspicious question.
role: user
inputContentType: application/json
inputTokenCount: 0
modelId: anthropic.claude-3-haiku-20240307-v1:0
operation: Converse
output:
outputBodyJson:
metrics:
latencyMs: 249
output:
message:
content:
- text: You shouldn't ask this question
role: assistant
usage:
inputTokens: 0
outputTokens: 0
totalTokens: 5000
outputContentType: application/json
outputTokenCount: 0
region: us-west-2
requestId: bb98d9a8-bd9a-47ca-976b-f165ef1f8b67
schemaType: ModelInvocationLog
schemaVersion: "1.0"
timestamp: "2025-05-15 14:17:22.000000000"
- Name: Perform Another Operation
ExpectedResult: false
Log:
accountId: "111111111111"
identity:
arn: arn:aws:sts::111111111111:assumed-role/role_details/regular.user
input:
inputBodyJson:
messages:
- content:
- text: I have a rather normal question.
role: user
inputContentType: application/json
inputTokenCount: 0
modelId: anthropic.claude-3-haiku-20240307-v1:0
operation: ListModels
output:
outputBodyJson:
metrics:
latencyMs: 249
output:
message:
content:
- text: I can respond to this question
role: assistant
usage:
inputTokens: 0
outputTokens: 0
totalTokens: 0
outputContentType: application/json
outputTokenCount: 0
region: us-west-2
requestId: bb98d9a8-bd9a-47ca-976b-f165ef1f8b67
schemaType: ModelInvocationLog
schemaVersion: "1.0"
timestamp: "2025-05-15 14:17:22.000000000"
- Name: Regular Converse Operation with Normal Token Usage
ExpectedResult: false
Log:
accountId: "111111111111"
identity:
arn: arn:aws:sts::111111111111:assumed-role/role_details/regular.user
input:
inputBodyJson:
messages:
- content:
- text: I have a rather normal question.
role: user
inputContentType: application/json
inputTokenCount: 0
modelId: anthropic.claude-3-haiku-20240307-v1:0
operation: Converse
output:
outputBodyJson:
metrics:
latencyMs: 249
output:
message:
content:
- text: I can respond to this question
role: assistant
usage:
inputTokens: 0
outputTokens: 0
totalTokens: 0
outputContentType: application/json
outputTokenCount: 0
region: us-west-2
requestId: bb98d9a8-bd9a-47ca-976b-f165ef1f8b67
schemaType: ModelInvocationLog
schemaVersion: "1.0"
timestamp: "2025-05-15 14:17:22.000000000"
Detection logic
Condition
operation in ["InvokeModel", "Converse"]
output.outputBodyJson.usage.totalTokens gt "1000"
output.outputBodyJson.usage.outputTokens eq "0"
This rule also runs imperative logic the parser cannot express as a filter; the conditions above are the structured part it could extract.
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
operation | in |
|
output.outputBodyJson.usage.outputTokens | eq |
|
output.outputBodyJson.usage.totalTokens | gt |
|