This detection rule identifies potential Cross-Site Scripting (XSS) attack attempts that are injected via GET requests in web server access logs. It captures requests containing specific XSS payloads, such as variations of `<script>` tags and other vectors commonly used in XSS attacks. The rule applies a filter to exclude 404 response status codes, which indicates that the request did not reach a successful endpoint. The detection criteria include a specified HTTP method (GET) and a set of keywords found within the query strings of incoming requests. False positives may arise from benign scripts, CSS files, images, or user interactions with search fields, and additional filters could be implemented to reduce such occurrences.