This detection rule identifies the first time a specific user identity successfully retrieves a secret value from AWS Secrets Manager programmatically. The rule is particularly relevant in scenarios where adversaries gain access to legitimate AWS services like EC2 or Lambda functions and leverage IAM roles assigned to these services to obtain sensitive information stored in Secrets Manager. The detection is based on API calls to `GetSecretValue` or `BatchGetSecretValue`, specifically looking for instances where these actions have outcomes marked as success. False positives may occur due to legitimate service calls, hence a thorough investigation is encouraged to validate suspicious activity.