This detection rule identifies potential unauthorized access attempts to AWS Secrets Manager by monitoring the use of the 'BatchGetSecretValue' API call. Specifically, it looks for batch retrieval attempts that involve more than four secrets being fetched at once. The rule flags events where attackers may be attempting to retrieve a high volume of secrets in a single request to diminish visibility and evade detection mechanisms. This behavior is analyzed and characterized by the information contained in the AWS CloudTrail logs, focusing on the event details like event name, user agent, source IP address, and recipient account ID. Additionally, the rule includes considerations for the associated MITRE ATT&CK framework technique TA0006:T1552, which pertains to credential access and specifically to secrets management.