This detection rule identifies potential Local File Inclusion (LFI) attacks on web servers by monitoring HTTP GET requests which aim to access sensitive files using directory traversal methods. LFI vulnerabilities allow attackers to read unauthorized files and possibly gain additional information about the system or foothold on the server. The rule is designed to analyze logs from various web server types (Nginx, Apache, Apache Tomcat, and IIS) for patterns that indicate such malicious activity. It specifically looks for the presence of certain patterns in the URL that could indicate traversal attempts or access to sensitive file locations on both Linux and Windows systems. The constructed ESQL query checks for various known paths to sensitive files and anomalous traversal patterns, keeping useful event metadata for further investigation. The overall risk score for this detection rule is classified as low, with the intention of enhancing the security posture against unauthorized access and data leakage incidents through careful monitoring of web server activity.