Techniques
Sample rules
Potential Abuse of Resources by High Token Count and Large Response Sizes
- source: elastic
- technicques:
Description
Detects potential resource exhaustion or data breach attempts by monitoring for users who consistently generate high input token counts, submit numerous requests, and receive large responses. This behavior could indicate an attempt to overload the system or extract an unusually large amount of data, possibly revealing sensitive information or causing service disruptions.
Detection logic
from logs-aws_bedrock.invocation-*
// keep token usage data
| keep
user.id,
gen_ai.usage.prompt_tokens,
gen_ai.usage.completion_tokens
// Aggregate usage metrics
| stats
Esql.ml_usage_prompt_tokens_max = max(gen_ai.usage.prompt_tokens),
Esql.ml_invocations_total_count = count(*),
Esql.ml_usage_completion_tokens_avg = avg(gen_ai.usage.completion_tokens)
by
user.id
// Filter for suspicious usage patterns
| where
Esql.ml_usage_prompt_tokens_max > 5000
and Esql.ml_invocations_total_count > 10
and Esql.ml_usage_completion_tokens_avg > 500
// Calculate a custom risk factor
| eval Esql.ml_risk_score =
(Esql.ml_usage_prompt_tokens_max / 1000) *
Esql.ml_invocations_total_count *
(Esql.ml_usage_completion_tokens_avg / 500)
// Filter on risk score
| where Esql.ml_risk_score > 10
// sort high risk users to top
| sort Esql.ml_risk_score desc