This rule detects rapid secret retrieval attempts from AWS Secrets Manager, specifically through the `GetSecretValue` or `BatchGetSecretValue` API actions. These actions are often used by adversaries to programmatically gain access to stored secrets in AWS. The rule is structured as a threshold rule, triggering alerts upon 20 or more successful secret retrieval attempts from the same user identity within a designated timeframe. Investigation steps include identifying the user account, verifying legitimate usage patterns, and checking for anomalies in user agent strings and IP addresses. False positives may arise from valid operations, necessitating careful tuning and possibly adding exclusions based on user roles and expected behaviors. The rule aims to enhance the detection of credential access attempts within cloud environments, ensuring that any unusual activity is promptly investigated and addressed.