This detection rule identifies attempts to delete AWS Bedrock model invocation logging configurations by monitoring AWS CloudTrail logs for calls to the DeleteModelInvocationLogging API. Such actions can indicate an adversary's attempt to erase audit traces of interactions with AI models post-credential compromise, thereby allowing them to conduct malicious activities without detection, such as data exfiltration or prompt injection attacks. By detecting these API calls, the organization can respond to potential unauthorized model usage and prevent attackers from hiding their activities.