Detects AWS WAF Managed Core Rule Set (CRS) matches in WAF logs and flags when CRS rules trigger blocking or count-based alerts. This is a detection/passthrough rule that signals potential probing or exploitation of publicly facing applications, covering CRS rule families for XSS, LFI, RFI, SSRF, size restrictions, restricted extensions, and bad bot user agents across all WAF sources (e.g., ALB, CloudFront). It aligns with MITRE ATT&CK TA0001:T1190 (Exploit Public-Facing Application) and supports threat hunting by correlating WAF events with other alerts and threat intel. The rule includes scenarios for terminatingRule-based blocks, ruleGroupList matches, and COUNT-mode non-terminating matches, and differentiates relevant CRS activity from non-threatening traffic. Intended to aid detection and investigation of attempted exploitation or vulnerability scanning against internet-facing web applications.