The AWS Bedrock Model Invocation Abnormal Token Usage rule is designed to monitor abnormal usage patterns of tokens associated with the invocation of AWS Bedrock AI models. It specifically looks for circumstances where the total token usage significantly exceeds predefined thresholds, indicating potential misuse or abuse of the AI models. The detection focuses on invocation logs from the Bedrock service, providing alerts when token usage appears suspicious. The rule is particularly relevant in scenarios of resource hijacking, where malicious actors might exploit the service for nefarious activities. To validate these alerts, a detailed investigation should confirm unusually high token consumption tied to specific models or compromised credentials. Recommendations for incident response include verifying alert particulars, analyzing user behaviors for signs of account compromise, and possibly adjusting access controls or usage limits to prevent future occurrences.