Detects matches to the AWS WAF Managed Bot Control Rule Set at the edge (web/application traffic) to identify automated or bot-driven activity. The rule covers automated browser signals, HTTP library user agents, scraping frameworks, known bot data centers, and targeted bot protections including token abuse and coordinated activity. It supports both blocking and non-terminating signals (COUNT) based on the Bot Control group’s findings. The rule maps to MITRE technique TA0043:T1595 and is intended to supplement threat hunting with rapid identification of automated access patterns in web traffic. The runbook advises correlation across requests by client IP within a 24-hour window, evaluation of user-agent legitimacy, and cross-checking for persistent activity over the prior 7 days. Reference documentation and example test logs demonstrate both blocking events (terminatingRuleId AWS-AWSManagedRulesBotControlRuleSet) and non-terminating signals, including detection of scraping frameworks (e.g., Scrapy) and targeted token abuse signals (e.g., TGT_TokenReuseIpHigh). Deduplication is set to 60 minutes with a threshold of 1 to surface a single alert per bot activity window.