This detection rule monitors for unusual spikes in HTTP error response codes (500, 502, 503, 504) from web servers such as Nginx, Apache, Tomcat, and IIS. These error codes can indicate potential reconnaissance activities, including vulnerability scanning or fuzzing attempts by malicious actors probing for weaknesses in web applications. With a defined time frame of nine months and an evaluation period of ten minutes, the rule uses ESQL to query error responses from various logs related to HTTP traffic. The main goal is to identify bursts of these error codes that may suggest an underlying security threat, prompting further investigation and remediation actions. Key investigation steps include analyzing error rates across different servers, examining user agent strings and request patterns for signs of automated scanning, and correlating findings with application error logs. Potential true positives may arise from benign conditions like health checks or shared NAT scenarios, thus requiring careful analysis before taking action. Recommendations following detection include blocking suspicious clients, reinforcing application defenses, and escalating to security operations if necessary. The rule carries a low severity level and a risk score of 21, indicating the need for vigilance without immediate alarm.