This threat detection rule alerts on potentially malicious attempts to retrieve a large number of AWS Secrets Manager secrets using the `secretsmanager:GetSecretValue` API call. Specifically, it monitors for incidents where more than 20 retrieval attempts are made within a specified time frame (deduplicating data over 24 hours). Such behavior is indicative of credential accessing techniques, and if verified, requires immediate attention due to its nature of compromising sensitive information stored in Secrets Manager. The rule is enabled and utilizes AWS CloudTrail logs as its primary source of data for detection, categorizing the alerts under the credential access techniques as per MITRE ATT&CK framework (T1552). A sample test case associated with this rule has been provided, showing an event with an AccessDenied error for an attempted call to GetSecretValue, ensuring that the rule's logic functions correctly to catch unauthorized access.