# Amazon Bedrock Model Invocation ## Overview Panther supports ingesting [Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/what-is-bedrock.html) model invocation logs via AWS CloudWatch or AWS S3. ## How to onboard Amazon Bedrock model invocation logs to Panther To pull Amazon Bedrock model invocation logs into Panther, follow the [Monitor model invocation using CloudWatch Logs and Amazon S3](https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html) AWS documentation to configure Bedrock model invocation logs to be sent to either CloudWatch or an S3 bucket. Then, set up a new log source in the Panther Console to stream data from your AWS account: 1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**. 2. Click **Create New.** 3. Search for "Bedrock Model Invocation," then click its tile. 4. In the **Transport Mechanism** drop-down, select the Data Transport method you wish to use for this integration: **AWS S3 Bucket** or **AWS CloudWatch Logs**. 5. Click **Start Setup**. 6. Follow [Panther’s documentation for configuring S3 for data transport](/data-onboarding/data-transports/aws/s3.md) or [Panther's documentation for configuring CloudWatch for data transport](/data-onboarding/data-transports/aws/cloudwatch.md). ## Panther-managed detections See [Panther-managed](/detections/panther-managed.md) rules for Amazon Bedrock model invocation in the [panther-analysis GitHub repository](https://github.com/panther-labs/panther-analysis/tree/main/rules/aws_bedrockmodelinvocation_rules). ## Supported Amazon Bedrock model invocation logs ### AWS.BedrockModelInvocation You can use model invocation logging to collect invocation logs, model input data, and model output data for all invocations in your AWS account used in Amazon Bedrock in a Region. See the AWS [Monitor model invocation using CloudWatch Logs and Amazon S3](https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html) documentation for more details. ```yaml schema: AWS.BedrockModelInvocation description: Amazon Bedrock Model Invocation Logs referenceURL: https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html fields: - name: accountId required: true type: string indicators: - aws_account_id - name: errorCode type: string - name: identity type: object fields: - name: arn type: string indicators: - aws_arn - name: inferenceRegion type: string - name: input type: object fields: - name: cacheReadInputTokenCount type: bigint - name: cacheWriteInputTokenCount type: bigint - name: inputBodyJson type: json - name: inputContentType type: string - name: inputTokenCount type: bigint - name: modelId required: true type: string - name: operation type: string - name: output type: object fields: - name: outputBodyJson type: json - name: outputVideoDurationSeconds type: float - name: outputVideoFramesPerSecond type: bigint - name: outputVideoHeight type: bigint - name: outputVideoS3Path type: string - name: outputVideoWidth type: bigint - name: outputContentType type: string - name: outputTokenCount type: bigint - name: performanceConfig type: object fields: - name: latency type: string - name: region type: string - name: requestId type: string - name: schemaType type: string - name: schemaVersion type: string - name: status type: string - name: timestamp required: true type: timestamp timeFormats: - rfc3339 isEventTime: true ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.panther.com/data-onboarding/supported-logs/aws/bedrock-model-invocation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.