Splunk

AWS Bedrock Claude Unusually Large Prompts

Last updated 2 days ago on 2026-07-17

About

This detection identifies unusually large prompts sent to AWS Bedrock Claude models by calculating the statistical baseline of input token counts and flagging requests that exceed one standard deviations above the mean. Abnormally large prompts may indicate prompt injection attacks, data exfiltration attempts, or abuse of the AI service.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://aws.amazon.com/blogs/apn/unlocking-the-power-of-splunk-with-amazon-bedrock-an-agentic-ai-approach-to-build-customized-splunk-assistants-using-bedrock-agents/(external, opens in a new tab or window)https://help.splunk.com/en/splunk-observability-cloud/observability-for-ai/splunk-ai-infrastructure-monitoring/set-up-ai-infrastructure-monitoring/amazon-bedrock(external, opens in a new tab or window)https://research.splunk.com/stories/aws_bedrock_security/(external, opens in a new tab or window)https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html(external, opens in a new tab or window)
False Positives
Possible false positives may arise from legitimate user interactions with the AI model that require large input prompts, such as complex queries or multi-turn conversations. It is important to review the context of the detected prompts to determine if they represent actual prompt injection attempts or benign usage.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`aws_bedrock_claude` | rename "input.inputTokenCount" AS input_tokens | rename "identity.arn" AS user_arn | rename "accountId" AS account_id | rex field=user_arn "assumed-role/[^/]+/(?<user>[^\"]+)$" | eval input_tokens=tonumber(input_tokens) | where input_tokens>0 | eventstats avg(input_tokens) AS avg_tokens stdev(input_tokens) AS stdev | where input_tokens > avg_tokens + (1*stdev) | where input_tokens > 1000 | table _time, modelId, user, user_arn, account_id, input_tokens, avg_tokens, host | sort - input_tokens | `aws_bedrock_claude_unusually_large_prompts_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).