This rule implements a passthrough detection for AWS WAF managed IP reputation groups. It detects matches against the AWSManagedRulesAmazonIpReputationList and AWSManagedRulesAnonymousIpList, flagging requests from IPs on threat intelligence lists (including known bots, reconnaissance sources, DDoS participants, TOR nodes, temporary proxies, and hosting/cloud provider IPs). While some matches may terminate (BLOCK) via the AWS managed rule groups, the rule also supports non-terminating behavior by counting matches (COUNT) for correlation and alerting rather than outright blocking. The included tests illustrate multiple scenarios: blocking by reputation IPs; reconnaissance list matches within the reputation group; non-terminating COUNT matches; DDoS list matches; anonymous IP blocks; and hosting-provider IPs counted rather than terminated, as well as cases with non-alerting rule groups or normal traffic. The Runbook guides analysts to assess scope across HTTP requests from the same client IP, verify against threat intelligence feeds, and review related alerts over the past week to identify broader malicious activity. A reference to AWS WAF managed rule group IP reputation is provided for context. Overall, this rule supports threat detection and alerting related to web-exposed surfaces and initial access/reconnaissance activity, while allowing for flexible enforcement via the underlying managed rule groups.