The AWS Secrets Manager Retrieve Secrets Multi-Region detection rule is designed to identify suspicious activities related to the retrieval of secrets from AWS Secrets Manager in multiple regions. Specifically, it detects attempts to execute the 'secretsmanager:BatchGetSecretValue' API call, which allows users to retrieve multiple secrets in a single request, thereby avoiding generating multiple log entries and potential detection. Given that the API allows retrieval of up to 20 secrets at once, an attacker may exploit this functionality to extract a large number of secrets while minimizing their footprint. This rule focuses on catching such behavior across various AWS regions within a short timeframe, indicating potential credential dumping activities. When AWS CloudTrail log entries are generated for this event, particularly for high-frequency requests, alerts will be triggered to notify security teams of the possible attack. The rule also aligns with MITRE ATT&CK framework techniques related to credential access and is part of the Stratus Red Team initiatives, emphasizing its relevance in identifying and mitigating privacy breaches. The designated runbook provides further guidance on leveraging the BatchGetSecretValue API securely, while the rule's metadata includes enhanced attributes such as user agent, source IP, and associated AWS account IDs to aid in deeper investigations.