This rule is designed to detect Server Side Template Injection (SSTI) attempts made through GET requests as recorded in webserver access logs. SSTI is a vulnerability that arises when user-controlled input is executed as code by a server-side template engine. Attackers exploit this vulnerability to execute arbitrary code on the server. The rule focuses on identifying specific keywords and patterns commonly associated with SSTI payloads, such as template expressions and scripting functions. It filters out HTTP 404 responses to minimize false positives and enhances detection accuracy by specifically monitoring GET requests. The identified conditions include having the select method as 'GET', matching against a predefined list of SSTI-related keywords, while not capturing the 404 status responses. The rule aims to provide high-level threat detection capabilities against attempts to exploit SSTI vulnerabilities in web applications. Additionally, it addresses potential false positives stemming from legitimate user activity or internal scanning tools and encourages further filtering measures to enhance the relevance of logged requests.