This threat detection rule identifies patterns of authenticated sessions accessing multiple secret management services across different cloud platforms from the same IP address within a brief timeframe. The primary concern is credential theft, session hijacking, or token replay attacks, where attackers leverage compromised credentials to harvest secrets from resources such as AWS Secrets Manager, Google Secret Manager, or Azure Key Vault. The rule utilizes the ESQL query language and checks for specific API interaction events from relevant cloud services. It requires comprehensive setup and auditing across all integrations, including AWS, Azure, and GCP to ensure logs are appropriately captured for effective detection. The alert's primary goal is to flag potentially malicious cross-cloud access, prompting detailed investigations into user identities, logged activities, and IP reputation. The risk score is set to 73, indicating a high severity for potential compromise scenarios.