Technical summary: This anomaly detects probable automated web reconnaissance leveraging Cisco Secure Access proxy telemetry. It monitors HTTP responses from a single source IP and aggregates by source, domain, and 10-minute windows to identify abuse patterns. The detection looks for a high volume of HTTP client errors (status codes 400, 401, 403, 404, 405, 407, 414, 429, 431) across a large number of unique URLs within a short period. The underlying query normalizes fields (src_ip, host, user, user_agent), extracts the destination domain from the URL, buckets time into 10-minute intervals, and computes: total errors and the count of unique URLs observed. It triggers when errors exceed 100 and unique URLs exceed 50, indicating potential directory/file enumeration behavior typical of tools like Gobuster, DirBuster, ffuf, or Burp Intruder. The rule is designed to help identify pre-exploitation scanning activity, insider reconnaissance, compromised endpoints performing discovery, and attempts to locate hidden administrative paths, APIs, backups, and exposed application files. It references MITRE ATT&CK technique T1595 (Active Scanning) and is intended to be used in Cisco Secure Access proxy telemetry contexts to flag suspicious reconnaissance activity.