This detection rule targets AWS WAF Managed Admin Protection rule group matches in AWS WAF web ACL logs to surface attempts to access web-based administrative interfaces. It focuses on admin-related URIs (e.g., /admin, /wp-admin, and similar paths) that are protected by the AWSManagedRulesAdminProtectionRuleSet. When a terminating rule from the Admin Protection group fires with a BLOCK action on a request, the rule flags the event as an alert. The rule also accounts for non-terminating matches via the ruleGroupList, which may contain nonTerminatingMatchingRules such as AdminProtection_URIPATH with a COUNT action, enabling visibility into potential probing activity even if the request is allowed by the WAF. The detection is tiered by a Threshold of 1 within a 60-minute deduplication window, meaning a single relevant admin-protection event in that window will trigger an alert. The rule relies on WAF log fields including webaclId, terminatingRuleId, action, httpSourceName, httpRequest.clientIp, httpRequest.uri, and httpRequest.country to characterize the event and its origin (e.g., IPs from US, CN, RU). The Runbook recommends correlation steps: verify whether the client IP belongs to a corporate network or VPN, and search for related authentication events or other WAF alerts from the same IP within the past 24 hours. The Tests section demonstrates representative scenarios: direct admin-page blocks via AWSManagedRulesAdminProtectionRuleSet (terminatingRuleId AdminProtection_URIPATH), a matching ruleGroup entry showing the COUNT of a non-terminating rule, a non-terminating match that does not block traffic, and negative cases where a different rule group or normal traffic should not trigger alerts. Overall, this rule enables rapid detection and investigation of attempted exploitation of admin interfaces on web-facing applications by highlighting admin-path access attempts associated with the AWS Admin Protection rule group.