This detection rule identifies potential SQL injection attacks by monitoring GET request patterns in web server access logs. Given the prevalence of SQL injection as a web application vulnerability, this rule targets a set of specific keywords and strings commonly associated with such attacks. The selection criteria focus on GET requests and use a series of keywords that are known to be indicative of injection attempts, such as 'select', 'union', and various SQL commands and functions. The rule also includes a filter to exclude 404 status codes, which can be frequent and may generate false positives. As a result, it aims to reduce the risk of overlooking genuine SQL injection attempts while minimizing irrelevant logs. The rule is currently in testing status and was created by a team consisting of researchers from Nextron Systems and Yoma Bank. Its application is critical for enhancing web application security and providing early warnings for potential breaches due to SQL injection vulnerabilities.