The rule detects potentially malicious usage of the AWS Secrets Manager's BatchGetSecretValue API, specifically focusing on requests that use a catch-all filter. An attacker may try to retrieve multiple secrets in one API call to minimize their exposure and avoid alerting defenses. This detection rule identifies such patterns by monitoring AWS CloudTrail logs for the relevant API calls. The defined batch size limit is 20 secrets, and while specific secret IDs or filters are required, a catch-all filter can be abused to obtain every secret in a single request. The aim is to detect and respond to this type of credential access attempt as part of an overall security posture against AWS resource misuse.