Potential Abuse of Resources by High Token Count and Large Response Sizes

Last updated 3 months ago on 2025-09-25

Created 2 years ago on 2024-05-04

About

Detects potential resource exhaustion or data breach attempts by monitoring for users who consistently generate high input token counts, submit numerous requests, and receive large responses. This behavior could indicate an attempt to overload the system or extract an unusually large amount of data, possibly revealing sensitive information or causing service disruptions.

Tags: Domain: LLMData Source: AWS BedrockData Source: Amazon Web ServicesData Source: AWS S3Use Case: Potential OverloadUse Case: Resource ExhaustionMitre Atlas: LLM04Language: esql
Severity: medium
Risk Score: 47
False Positive Examples: Authorized heavy usage of the system that is business justified and monitored.
License: Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack: Prebuilt Security Detection Rules
Related Integrations: aws_bedrock(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗from logs-aws_bedrock.invocation-*

// keep token usage data
| keep
  user.id,
  gen_ai.usage.prompt_tokens,
  gen_ai.usage.completion_tokens

// Aggregate usage metrics
| stats
    Esql.ml_usage_prompt_tokens_max = max(gen_ai.usage.prompt_tokens),
    Esql.ml_invocations_total_count = count(*),
    Esql.ml_usage_completion_tokens_avg = avg(gen_ai.usage.completion_tokens)
  by
    user.id

// Filter for suspicious usage patterns
| where
  Esql.ml_usage_prompt_tokens_max > 5000
  and Esql.ml_invocations_total_count > 10
  and Esql.ml_usage_completion_tokens_avg > 500

// Calculate a custom risk factor
| eval Esql.ml_risk_score =
    (Esql.ml_usage_prompt_tokens_max / 1000) *
    Esql.ml_invocations_total_count *
    (Esql.ml_usage_completion_tokens_avg / 500)

// Filter on risk score
| where Esql.ml_risk_score > 10

// sort high risk users to top
| sort Esql.ml_risk_score desc

Install detection rules in Elastic Security

Detect Potential Abuse of Resources by High Token Count and Large Response Sizes in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).