This rule analyzes AWS CloudTrail logs to detect when RDS log files are downloaded via the DownloadDBLogFilePortion API. Downloaded log files may contain credentials, sensitive queries, or secrets, and bulk or unusual downloads can indicate credential harvesting or data reconnaissance. The detection focuses on CloudTrail events where eventSource is rds.amazonaws.com and eventName is DownloadDBLogFilePortion, with requestParameters including dBInstanceIdentifier and logFileName. The Runbook specifies: (1) identify all log file download events by the user’s ARN in the past 6 hours to detect bulk download patterns; (2) verify the source IP address aligns with the user’s normal access patterns from the past 30 days; (3) look for database access or modification events by the same user in the 48 hours prior to the log download to establish context. The rule is linked to MITRE ATT&CK technique T1552.001 (Credentials in Files). Deduplication is enforced with a 60-minute window. Summary attributes include eventName, userIdentity:principalId, requestParameters:dBInstanceIdentifier, requestParameters:logFileName, sourceIPAddress, and p_any_aws_account_ids to aid investigation. The Tests illustrate positive detections when a log file is downloaded (from internal or external IPs) and negative cases where the event is not a relevant download or the action fails, validating the rule’s focus on legitimate log file retrieval versus unrelated or failed attempts.