This detection rule targets activities associated with the enumeration of secrets stored in AWS Secrets Manager and AWS Systems Manager Parameter Store. Secrets Manager plays a crucial role in managing sensitive information such as database credentials, API keys, and passwords, enhancing the overall security of AWS environments. By monitoring API calls to the Secrets Manager, especially the 'ListSecrets' event triggered by IAM users, it allows security teams to identify potential unauthorized access or misuse of secrets. The rule utilizes AWS CloudTrail logs to capture and analyze relevant API calls, providing visibility into actions that may pose a risk to sensitive data within the AWS ecosystem. The logic implemented uses Splunk to query cloud data, focusing on indicators like user identity type, event name, and source IP to generate a comprehensive overview of secret access attempts. This assists in proactively identifying any credential access techniques that could compromise cloud resources.