This rule detects matches to the AWS WAF Managed Anti-DDoS Rule Group (AWS-AWSManagedRulesAntiDDoSRuleSet) within WAF web ACL logs. It flags events where the anti-DDoS rules DDoSRequests, ChallengeDDoSRequests, or ChallengeAllDuringEvent fire during detected DDoS activity to either block or count-signal suspicious traffic. The rule is designed as a pass-through/alerting detection: it reports when anti-DDoS mitigations are engaged without altering traffic itself, surfacing evidence such as webaclId, terminatingRuleId (often AWS-AWSManagedRulesAntiDDoSRuleSet), httpSourceName, and httpRequest details (clientIp, country, uri, httpMethod). The included tests illustrate scenarios where the Anti-DDoS group terminates requests (BLOCK) or where non-terminating COUNT rules indicate potential DDoS activity, as well as cases with different rule groups or normal traffic that should not alert. Runbook guidance covers analyzing 1-hour windows around the alert for traffic volume/patterns, correlating with AWS Shield Advanced events and other anti-DDoS alerts over the past 6 hours, and checking threat intelligence feeds for known DDoS actors. A reference to AWS documentation is provided. The detection uses a 60-minute dedup window and a threshold of 1 to trigger on relevant anti-DDoS activity.