This detection rule focuses on monitoring for the AWS API call `GetBucketReplication`, which is used to retrieve the replication configuration of an S3 bucket. Threat actors, upon compromising an AWS account, often engage in enumeration and reconnaissance activities to assess the environment and gather information for potential follow-on attacks. Monitoring `GetBucketReplication` is vital, as it indicates that an attacker may be trying to identify replication configurations for sensitive buckets or data. The rule utilizes Splunk's Search Processing Language (SPL) to track API calls and log relevant attributes such as user identity, source IP, and request parameters. The data is enriched through DNS lookup and geolocation to gain further context about the source of the API calls, enhancing incident response efforts by pinpointing the geographic location and origin associated with suspicious activities.