This rule is designed to detect potential web server discovery or fuzzing activity, which may indicate attempts by attackers to explore hidden resources on web servers. The detection focuses on identifying a high volume of HTTP GET requests resulting in 404 or 403 responses from a single IP address within a short timeframe. Automated tools often generate such patterns, probing for various endpoints using wordlist-driven enumeration techniques. By flagging these behaviors early, defenders can prevent more targeted exploitation attempts that follow after enumeration of vulnerable resources. The rule queries log data for various web server technologies including Nginx, Apache, Apache Tomcat, and IIS, checking for GET requests that produce error responses indicative of discovery attempts. For instance, attackers typically probe URLs like /admin/, /login, or /.env, looking for accessible endpoints or misconfigurations. The rule also integrates thorough triage and analysis guidelines for investigation, outlining steps to verify the authenticity of requests, check against internal scanning tools, and assess the risk of false positives.