# Amazon Bedrock Model Invocation

## Overview

Panther supports ingesting [Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/what-is-bedrock.html) model invocation logs via AWS CloudWatch or AWS S3.

## How to onboard Amazon Bedrock model invocation logs to Panther

To pull Amazon Bedrock model invocation logs into Panther, follow the [Monitor model invocation using CloudWatch Logs and Amazon S3](https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html) AWS documentation to configure Bedrock model invocation logs to be sent to either CloudWatch or an S3 bucket.

Then, set up a new log source in the Panther Console to stream data from your AWS account:

1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**.
2. Click **Create New.**
3. Search for "Bedrock Model Invocation," then click its tile.
4. In the **Transport Mechanism** drop-down, select the Data Transport method you wish to use for this integration: **AWS S3 Bucket** or **AWS CloudWatch Logs**.
5. Click **Start Setup**.
6. Follow [Panther’s documentation for configuring S3 for data transport](https://docs.panther.com/data-onboarding/data-transports/aws/s3) or [Panther's documentation for configuring CloudWatch for data transport](https://docs.panther.com/data-onboarding/data-transports/aws/cloudwatch).

## Panther-managed detections

See [Panther-managed](https://docs.panther.com/detections/panther-managed) rules for Amazon Bedrock model invocation in the [panther-analysis GitHub repository](https://github.com/panther-labs/panther-analysis/tree/main/rules/aws_bedrockmodelinvocation_rules).

## Supported Amazon Bedrock model invocation logs

### AWS.BedrockModelInvocation

You can use model invocation logging to collect invocation logs, model input data, and model output data for all invocations in your AWS account used in Amazon Bedrock in a Region. See the AWS [Monitor model invocation using CloudWatch Logs and Amazon S3](https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html) documentation for more details.

```yaml
schema: AWS.BedrockModelInvocation
description: Amazon Bedrock Model Invocation Logs
referenceURL: https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html
fields:
    - name: accountId
      required: true
      type: string
      indicators:
        - aws_account_id
    - name: errorCode
      type: string
    - name: identity
      type: object
      fields:
        - name: arn
          type: string
          indicators:
            - aws_arn
    - name: inferenceRegion
      type: string
    - name: input
      type: object
      fields:
        - name: cacheReadInputTokenCount
          type: bigint
        - name: cacheWriteInputTokenCount
          type: bigint
        - name: inputBodyJson
          type: json
        - name: inputContentType
          type: string
        - name: inputTokenCount
          type: bigint
    - name: modelId
      required: true
      type: string
    - name: operation
      type: string
    - name: output
      type: object
      fields:
        - name: outputBodyJson
          type: json
        - name: outputVideoDurationSeconds
          type: float
        - name: outputVideoFramesPerSecond
          type: bigint
        - name: outputVideoHeight
          type: bigint
        - name: outputVideoS3Path
          type: string
        - name: outputVideoWidth
          type: bigint
        - name: outputContentType
          type: string
        - name: outputTokenCount
          type: bigint
    - name: performanceConfig
      type: object
      fields:
        - name: latency
          type: string
    - name: region
      type: string
    - name: requestId
      type: string
    - name: schemaType
      type: string
    - name: schemaVersion
      type: string
    - name: status
      type: string
    - name: timestamp
      required: true
      type: timestamp
      timeFormats:
        - rfc3339
      isEventTime: true
```