Amazon Bedrock Model Invocation

Connecting Amazon Bedrock model invocation logs to your Panther Console

Overview

Panther supports ingesting Amazon Bedrock model invocation logs via AWS CloudWatch or AWS S3.

How to onboard Amazon Bedrock model invocation logs to Panther

To pull Amazon Bedrock model invocation logs into Panther, follow the Monitor model invocation using CloudWatch Logs and Amazon S3 AWS documentation to configure Bedrock model invocation logs to be sent to either CloudWatch or an S3 bucket.

Then, set up a new log source in the Panther Console to stream data from your AWS account:

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "Bedrock Model Invocation," then click its tile.
In the Transport Mechanism drop-down, select the Data Transport method you wish to use for this integration: AWS S3 Bucket or AWS CloudWatch Logs.
Click Start Setup.
Follow Panther’s documentation for configuring S3 for data transport or Panther's documentation for configuring CloudWatch for data transport.

Panther-managed detections

See Panther-managed rules for Amazon Bedrock model invocation in the panther-analysis GitHub repository.

Supported Amazon Bedrock model invocation logs

AWS.BedrockModelInvocation

You can use model invocation logging to collect invocation logs, model input data, and model output data for all invocations in your AWS account used in Amazon Bedrock in a Region. See the AWS Monitor model invocation using CloudWatch Logs and Amazon S3 documentation for more details.

schema: AWS.BedrockModelInvocation
description: Amazon Bedrock Model Invocation Logs
referenceURL: https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html
fields:
    - name: accountId
      required: true
      type: string
      indicators:
        - aws_account_id
    - name: errorCode
      type: string
    - name: identity
      type: object
      fields:
        - name: arn
          type: string
          indicators:
            - aws_arn
    - name: inferenceRegion
      type: string
    - name: input
      type: object
      fields:
        - name: cacheReadInputTokenCount
          type: bigint
        - name: cacheWriteInputTokenCount
          type: bigint
        - name: inputBodyJson
          type: json
        - name: inputContentType
          type: string
        - name: inputTokenCount
          type: bigint
    - name: modelId
      required: true
      type: string
    - name: operation
      type: string
    - name: output
      type: object
      fields:
        - name: outputBodyJson
          type: json
        - name: outputVideoDurationSeconds
          type: float
        - name: outputVideoFramesPerSecond
          type: bigint
        - name: outputVideoHeight
          type: bigint
        - name: outputVideoS3Path
          type: string
        - name: outputVideoWidth
          type: bigint
        - name: outputContentType
          type: string
        - name: outputTokenCount
          type: bigint
    - name: performanceConfig
      type: object
      fields:
        - name: latency
          type: string
    - name: region
      type: string
    - name: requestId
      type: string
    - name: schemaType
      type: string
    - name: schemaVersion
      type: string
    - name: status
      type: string
    - name: timestamp
      required: true
      type: timestamp
      timeFormats:
        - rfc3339
      isEventTime: true

PreviousAWS Aurora NextAWS CloudFront

Last updated 15 minutes ago

Was this helpful?