text code block:`aws_bedrock_claude` | rename "identity.arn" AS user_arn | rename "input.inputTokenCount" AS input_tokens | rename "output.outputTokenCount" AS output_tokens | rex field=user_arn "assumed-role/[^/]+/(?<user>[^\"]+)$" | rex field="input.inputBodyJson.metadata.user_id" "(?<session_user>user_[^_]+.*)" | eval input_tokens=tonumber(input_tokens) | eval output_tokens=tonumber(output_tokens) | eval token_ratio=round(output_tokens / max(input_tokens,1), 2) | eval model_short=replace(modelId,"^.*/","") | eval mismatch_detail=region." -> ".inferenceRegion | where isnotnull(user_arn) AND len(user_arn)>10 | where isnotnull(session_user) | where region!=inferenceRegion | where input_tokens>=2000 | table _time, user, user_arn, session_user, model_short, input_tokens, output_tokens, token_ratio, mismatch_detail, operation, host | sort - input_tokens | `aws_bedrock_claude_cross_region_possible_inference_abuse_filter`
View this rule on Splunk
This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).